Bug 133156 - [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325
[patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Dirk Meyer
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-28 14:50 UTC by rea-fbsd
Modified: 2009-05-07 08:56 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description rea-fbsd 2009-03-28 14:50:01 UTC
Multiple vulnerabilities were fixed in OpenSSL 0.9.8k:

1) An error exists in the "ASN1_STRING_print_ex()" function when
printing "BMPString" or "UniversalString" strings. This can be exploited
to trigger an access to invalid memory and cause a crash via an illegal
encoded string length when e.g. printing the contents of a certificate.

2) The "CMS_verify()" function incorrectly handles an error condition
when processing malformed signed attributes. This can be exploited to
trick an application into considering a malformed set of signed
attributes valid and skip further checks.

NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later
with CMS enabled (disabled by default).

Successful exploitation requires access to a previously generated
invalid signature.

3) An error when processing malformed ASN1 structures can be exploited
to trigger an access to invalid memory and cause a crash via a specially
crafted certificate.

NOTE: This vulnerability is only present on platforms where the size of
"long" is smaller than the size of "void *" (e.g. WIN64).


Please, note that the OpenSSL in the base system is likely vulnerable to
these issues too.  But since I am not sure now, I am not mentioning
this in the VuXML entry.

Fix: The following patch updates the port to 0.9.8k.  It passes 'make
validate' and works for my daily operations.



The following VuXML entry should be evaluated and added:
  <vuln vid="31c51f51-1ba3-11de-8775-001b77d09812">
    <topic>OpenSSL -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>openssl</name>
        <range><lt>0.9.8k</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/34411/">
          <p>Some vulnerabilities have been reported in OpenSSL, which
          can be exploited by malicious people to bypass certain
          security restrictions or cause a DoS (Denial of Service).</p>
          <ol>
            <li> An error exists in the "ASN1_STRING_print_ex()"
            function when printing "BMPString" or "UniversalString"
            strings. This can be exploited to trigger an access to
            invalid memory and cause a crash via an illegal encoded
            string length when e.g. printing the contents of a
            certificate.</li>
            <li> The "CMS_verify()" function incorrectly handles an
            error condition when processing malformed signed attributes.
            This can be exploited to trick an application into
            considering a malformed set of signed attributes valid and
            skip further checks.
              <em>NOTE: This vulnerability only affects OpenSSL versions
              0.9.8h and later with CMS enabled (disabled by
              default).</em>
            Successful exploitation
            requires access to a previously generated invalid
            signature.</li>
            <li> An error when processing malformed ASN1 structures can
            be exploited to trigger an access to invalid memory and
            cause a crash via a specially crafted certificate.
              <em>NOTE: This vulnerability is only present on platforms
              where the size of "long" is smaller than the size of
              "void*" (e.g.  WIN64).</em>
            </li>
          </ol>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0590</cvename>
      <cvename>CVE-2009-0591</cvename>
      <cvename>CVE-2009-0789</cvename>
      <bid>34256</bid>
      <url>http://secunia.com/advisories/34411/</url>
      <url>http://www.openssl.org/news/secadv_20090325.txt</url>
    </references>
    <dates>
      <discovery>2009-03-25</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here -----UBA857xwuxS60LwHWpBbpcfYshWt6S29DH5gq0BDaqqZn9QR
Content-Type: text/plain; name="update-to-0.9.8k.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="update-to-0.9.8k.diff"

From c77146d7d0faf0f5226133f75ecf6249e6e81b31 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 28 Mar 2009 17:27:19 +0300

patch-enc_min.c was removed, because the issue was fixed in the vendor
version.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 security/openssl/Makefile              |    3 +--
 security/openssl/distinfo              |    6 +++---
 security/openssl/files/patch-enc_min.c |   11 -----------
 3 files changed, 4 insertions(+), 16 deletions(-)
 delete mode 100644 security/openssl/files/patch-enc_min.c

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index d283f91..639974b 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssl
-PORTVERSION=	0.9.8j
-PORTREVISION=	1
+PORTVERSION=	0.9.8k
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 625d8f0..7e1cd3e 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,3 @@
-MD5 (openssl-0.9.8j.tar.gz) = a5cb5f6c3d11affb387ecf7a997cac0c
-SHA256 (openssl-0.9.8j.tar.gz) = 7131242042dbd631fbd83436f42aea1775e7c32f587fa4ada5a01df4c3ae8e8b
-SIZE (openssl-0.9.8j.tar.gz) = 3738359
+MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3
+SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101
+SIZE (openssl-0.9.8k.tar.gz) = 3852259
diff --git a/security/openssl/files/patch-enc_min.c b/security/openssl/files/patch-enc_min.c
deleted file mode 100644
index 7d4af5a..0000000
--- a/security/openssl/files/patch-enc_min.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- crypto/evp/enc_min.c.orig	2008-12-02 19:14:44.000000000 +0100
-+++ crypto/evp/enc_min.c	2009-01-09 18:20:35.000000000 +0100
-@@ -199,7 +199,7 @@
- 			enc = 1;
- 		ctx->encrypt = enc;
- 		}
--#ifdef OPENSSL_NO_FIPS
-+#ifndef OPENSSL_NO_FIPS
- 	if(FIPS_selftest_failed())
- 		{
- 		FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-- 
1.6.1.3
How-To-Repeat: 
http://secunia.com/advisories/34411/
http://www.openssl.org/news/secadv_20090325.txt
Comment 1 Edwin Groothuis freebsd_committer 2009-03-28 14:50:13 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter freebsd_committer 2009-03-28 17:32:37 UTC
dinoex      2009-03-28 17:32:24 UTC

  FreeBSD ports repository

  Modified files:
    security/openssl     Makefile distinfo 
  Removed files:
    security/openssl/files patch-enc_min.c 
  Log:
  - Security update to 0.9.8k
  Security: http://www.openssl.org/news/secadv_20090325.txt
  Security: CVE-2009-0590
  Security: CVE-2009-0591 (port not affected)
  Security: CVE-2009-0789
  PR:             133156
  Submitted by:   Eygene Ryabinkin
  
  Revision  Changes    Path
  1.145     +1 -2      ports/security/openssl/Makefile
  1.51      +3 -3      ports/security/openssl/distinfo
  1.2       +0 -11     ports/security/openssl/files/patch-enc_min.c (dead)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 rea-fbsd 2009-03-28 23:04:44 UTC
Here are the references to the OpenSSL repository commits that were
fixing the vulnerabilities mentioned in secadv_20090325:
  http://cvs.openssl.org/chngview?cn=17907
  http://cvs.openssl.org/chngview?cn=17908
  http://cvs.openssl.org/chngview?cn=17909

I see that both /stable/7 and /head have no such changes, so they should
be evaluated and possibly added to the bundled OpenSSL, because it seems
to be also vulnerable to the mentioned bugs.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 4 Dirk Meyer freebsd_committer 2009-03-29 09:11:09 UTC
State Changed
From-To: open->patched


port is updated. 
waiting for vulnerability entry. 
and keep it open for base.
Comment 5 rea-fbsd 2009-04-22 22:19:25 UTC
Sun, Mar 29, 2009 at 03:04:44AM +0400, Eygene Ryabinkin wrote:
> I see that both /stable/7 and /head have no such changes, so they should
> be evaluated and possibly added to the bundled OpenSSL, because it seems
> to be also vulnerable to the mentioned bugs.

Base systems received patch for OpenSSL issue 7 hours ago
(FreeBSD-SA-09:08.openssl), so the only thing that is left
is the VuXML entry for the base system.

I had drafted one:
--- vuln.xml begins here ---
  <vuln vid="fbc8413f-2f7a-11de-9a3f-001b77d09812">
    <topic>FreeBSD -- remotely exploitable crash in OpenSSL</topic>
    <affects>
      <package>
        <name>FreeBSD</name>
        <range><ge>6.3</ge><lt>6.3_10</lt></range>
        <range><ge>6.4</ge><lt>6.4_4</lt></range>
        <range><ge>7.0</ge><lt>7.0_12</lt></range>
        <range><ge>7.1</ge><lt>7.1_5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <h1>Problem Description</h1>
        <p>The function ASN1_STRING_print_ex does not properly validate
        the lengths of BMPString or UniversalString objects before
        attempting to print them.</p>
        <h1>Impact</h1>
        <p>An application which attempts to print a BMPString or
        UniversalString which has an invalid length will crash as a
        result of OpenSSL accessing invalid memory locations.  This
        could be used by an attacker to crash a remote application.</p>
        <h1>Workaround</h1>
        <p>No workaround is available, but applications which do not use
        the ASN1_STRING_print_ex function (either directly or
        indirectly) are not affected.</p>
      </body>
    </description>
    <references>
      <freebsdsa>SA-09:08.openssl</freebsdsa>
      <cvename>CVE-2009-0590</cvename>
    </references>
    <dates>
      <discovery>2009-03-25</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 6 dfilter freebsd_committer 2009-05-07 08:40:48 UTC
dinoex      2009-05-07 07:40:39 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - add SA-09:08.openssl
  PR:             133156
  
  Revision  Changes    Path
  1.1924    +39 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 7 Dirk Meyer freebsd_committer 2009-05-07 08:55:54 UTC
State Changed
From-To: patched->closed

committed, thanks.