Multiple vulnerabilities were fixed in OpenSSL 0.9.8k: 1) An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate. 2) The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks. NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default). Successful exploitation requires access to a previously generated invalid signature. 3) An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate. NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void *" (e.g. WIN64). Please, note that the OpenSSL in the base system is likely vulnerable to these issues too. But since I am not sure now, I am not mentioning this in the VuXML entry. Fix: The following patch updates the port to 0.9.8k. It passes 'make validate' and works for my daily operations. The following VuXML entry should be evaluated and added: <vuln vid="31c51f51-1ba3-11de-8775-001b77d09812"> <topic>OpenSSL -- multiple vulnerabilities</topic> <affects> <package> <name>openssl</name> <range><lt>0.9.8k</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/34411/"> <p>Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).</p> <ol> <li> An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate.</li> <li> The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks. <em>NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default).</em> Successful exploitation requires access to a previously generated invalid signature.</li> <li> An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate. <em>NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void*" (e.g. WIN64).</em> </li> </ol> </blockquote> </body> </description> <references> <cvename>CVE-2009-0590</cvename> <cvename>CVE-2009-0591</cvename> <cvename>CVE-2009-0789</cvename> <bid>34256</bid> <url>http://secunia.com/advisories/34411/</url> <url>http://www.openssl.org/news/secadv_20090325.txt</url> </references> <dates> <discovery>2009-03-25</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----UBA857xwuxS60LwHWpBbpcfYshWt6S29DH5gq0BDaqqZn9QR Content-Type: text/plain; name="update-to-0.9.8k.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="update-to-0.9.8k.diff" From c77146d7d0faf0f5226133f75ecf6249e6e81b31 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 28 Mar 2009 17:27:19 +0300 patch-enc_min.c was removed, because the issue was fixed in the vendor version. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/openssl/Makefile | 3 +-- security/openssl/distinfo | 6 +++--- security/openssl/files/patch-enc_min.c | 11 ----------- 3 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 security/openssl/files/patch-enc_min.c diff --git a/security/openssl/Makefile b/security/openssl/Makefile index d283f91..639974b 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -6,8 +6,7 @@ # PORTNAME= openssl -PORTVERSION= 0.9.8j -PORTREVISION= 1 +PORTVERSION= 0.9.8k CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \ ftp://ftp.openssl.org/%SUBDIR%/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 625d8f0..7e1cd3e 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -MD5 (openssl-0.9.8j.tar.gz) = a5cb5f6c3d11affb387ecf7a997cac0c -SHA256 (openssl-0.9.8j.tar.gz) = 7131242042dbd631fbd83436f42aea1775e7c32f587fa4ada5a01df4c3ae8e8b -SIZE (openssl-0.9.8j.tar.gz) = 3738359 +MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3 +SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101 +SIZE (openssl-0.9.8k.tar.gz) = 3852259 diff --git a/security/openssl/files/patch-enc_min.c b/security/openssl/files/patch-enc_min.c deleted file mode 100644 index 7d4af5a..0000000 --- a/security/openssl/files/patch-enc_min.c +++ /dev/null @@ -1,11 +0,0 @@ ---- crypto/evp/enc_min.c.orig 2008-12-02 19:14:44.000000000 +0100 -+++ crypto/evp/enc_min.c 2009-01-09 18:20:35.000000000 +0100 -@@ -199,7 +199,7 @@ - enc = 1; - ctx->encrypt = enc; - } --#ifdef OPENSSL_NO_FIPS -+#ifndef OPENSSL_NO_FIPS - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); -- 1.6.1.3 How-To-Repeat: http://secunia.com/advisories/34411/ http://www.openssl.org/news/secadv_20090325.txt
Responsible Changed From-To: freebsd-ports-bugs->dinoex Over to maintainer (via the GNATS Auto Assign Tool)
dinoex 2009-03-28 17:32:24 UTC FreeBSD ports repository Modified files: security/openssl Makefile distinfo Removed files: security/openssl/files patch-enc_min.c Log: - Security update to 0.9.8k Security: http://www.openssl.org/news/secadv_20090325.txt Security: CVE-2009-0590 Security: CVE-2009-0591 (port not affected) Security: CVE-2009-0789 PR: 133156 Submitted by: Eygene Ryabinkin Revision Changes Path 1.145 +1 -2 ports/security/openssl/Makefile 1.51 +3 -3 ports/security/openssl/distinfo 1.2 +0 -11 ports/security/openssl/files/patch-enc_min.c (dead) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Here are the references to the OpenSSL repository commits that were fixing the vulnerabilities mentioned in secadv_20090325: http://cvs.openssl.org/chngview?cn=17907 http://cvs.openssl.org/chngview?cn=17908 http://cvs.openssl.org/chngview?cn=17909 I see that both /stable/7 and /head have no such changes, so they should be evaluated and possibly added to the bundled OpenSSL, because it seems to be also vulnerable to the mentioned bugs. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
State Changed From-To: open->patched port is updated. waiting for vulnerability entry. and keep it open for base.
Sun, Mar 29, 2009 at 03:04:44AM +0400, Eygene Ryabinkin wrote: > I see that both /stable/7 and /head have no such changes, so they should > be evaluated and possibly added to the bundled OpenSSL, because it seems > to be also vulnerable to the mentioned bugs. Base systems received patch for OpenSSL issue 7 hours ago (FreeBSD-SA-09:08.openssl), so the only thing that is left is the VuXML entry for the base system. I had drafted one: --- vuln.xml begins here --- <vuln vid="fbc8413f-2f7a-11de-9a3f-001b77d09812"> <topic>FreeBSD -- remotely exploitable crash in OpenSSL</topic> <affects> <package> <name>FreeBSD</name> <range><ge>6.3</ge><lt>6.3_10</lt></range> <range><ge>6.4</ge><lt>6.4_4</lt></range> <range><ge>7.0</ge><lt>7.0_12</lt></range> <range><ge>7.1</ge><lt>7.1_5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <h1>Problem Description</h1> <p>The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them.</p> <h1>Impact</h1> <p>An application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application.</p> <h1>Workaround</h1> <p>No workaround is available, but applications which do not use the ASN1_STRING_print_ex function (either directly or indirectly) are not affected.</p> </body> </description> <references> <freebsdsa>SA-09:08.openssl</freebsdsa> <cvename>CVE-2009-0590</cvename> </references> <dates> <discovery>2009-03-25</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
dinoex 2009-05-07 07:40:39 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - add SA-09:08.openssl PR: 133156 Revision Changes Path 1.1924 +39 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed committed, thanks.