Bug 134653 - [patch][vuxml] security/openssl: fix memory exhaustion in DTLS code
Summary: [patch][vuxml] security/openssl: fix memory exhaustion in DTLS code
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Dirk Meyer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-18 16:40 UTC by Eygene Ryabinkin
Modified: 2009-05-30 22:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-05-18 16:40:01 UTC
Two DTLS problems that lead to memory leaks were fixed by OpenSSL
developers; [1], [2].

Fix: The following patch brings upstream patches to the FreeBSD port:


The following VuXML entry should be evaluated and added:
  <vuln vid="d84b3398-43b0-11de-9b62-0022156e8794">
    <topic>openssl -- Denial of Service in DTLS implementation</topic>
    <affects>
      <package>
        <name>openssl</name>
        <range><ge>0.9.8</ge><lt>0.9.8k_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>OpenSSL developers report on the DTLS unlimited record
        buffer growth:</p>
        <blockquote
          cite="http://rt.openssl.org/Ticket/Display.html?id=1930">
          <p>Records are buffered if they arrive with a future epoch to
          be processed after finishing the corresponding handshake.
          There is currently no limitation to this buffer allowing an
          attacker to perform a DOS attack with sending records with
          future epochs until there is no memory left.</p>
        </blockquote>
        <p>OpenSSL developers report on the DTLS fragment handling memory
        leak:</p>
        <blockquote
          cite="http://rt.openssl.org/Ticket/Display.html?id=1931">
          <p>In dtls1_process_out_of_seq_message() the check if the
          current message is already buffered was missing.  For every new
          message was memory allocated, allowing an attacker to perform
          an denial of service attack with sending out of seq handshake
          messages until there is no memory left.  Additionally every
          future message was buffered, even if the sequence number made
          no sense and would be part of another handshake.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-1377</cvename>
      <cvename>CVE-2009-1378</cvename>
      <url>http://rt.openssl.org/Ticket/Display.html?id=1930</url>
      <url>http://rt.openssl.org/Ticket/Display.html?id=1931</url>
    </references>
    <dates>
      <discovery>2009-05-18</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

The mentioned patches also apply fine to the OpenSSL in HEAD, though
more testing is needed: DTLS client and server from the base system
segfaults badly on most of my attempts.

I am not sure if anyone uses DTLS now, but the bug should be fixed
anyway.

Please, note: if anyone will want to test openssl s_client/s_server with
dtls1, he should manually set MTU value via '-mtu NNNN' -- OpenSSL's MTU
discovery is badly broken on FreeBSD and produces 0xFFFFFFFF as the MTU
value that will be transformed into (-1) and will cause harm :((--2aGrOqkiunt79R1uYmsHWza82ymHs0lz92q481QXg72LzU2k
Content-Type: text/plain; name="fix-0.9.8k.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="fix-0.9.8k.diff"

From 5f601b8118ae27f33d04142b96c7084b0f93913b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Mon, 18 May 2009 17:53:10 +0400

Patches were taken directly from the OpenSSL RT bugtracker:
  http://rt.openssl.org/Ticket/Display.html?id=1930
  http://rt.openssl.org/Ticket/Display.html?id=1931

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 security/openssl/Makefile                  |    1 +
 security/openssl/files/patch-CVE-2009-1377 |   46 ++++++++++++++++++++++++++++
 security/openssl/files/patch-CVE-2009-1378 |   22 +++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
 create mode 100644 security/openssl/files/patch-CVE-2009-1377
 create mode 100644 security/openssl/files/patch-CVE-2009-1378

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 72c3f4c..65d889d 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	openssl
 PORTVERSION=	0.9.8k
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/files/patch-CVE-2009-1377 b/security/openssl/files/patch-CVE-2009-1377
new file mode 100644
index 0000000..9d0e941
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1377
@@ -0,0 +1,46 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
+
+--- crypto/pqueue/pqueue.c	2005-12-20 08:03:10.000000000 +0100
++++ crypto/pqueue/pqueue.c	2009-05-15 16:07:33.000000000 +0200
+@@ -237,3 +237,17 @@
+ 
+ 	return ret;
+ 	}
++
++int
++pqueue_size(pqueue_s *pq)
++{
++	pitem *item = pq->items;
++	int count = 0;
++	
++	while(item != NULL)
++	{
++		count++;
++		item = item->next;
++	}
++	return count;
++}
+
+--- crypto/pqueue/pqueue.h	2005-06-08 00:21:14.000000000 +0200
++++ crypto/pqueue/pqueue.h	2009-05-15 16:07:03.000000000 +0200
+@@ -89,5 +89,6 @@
+ pitem *pqueue_next(piterator *iter);
+ 
+ void   pqueue_print(pqueue pq);
++int	   pqueue_size(pqueue pq);
+ 
+ #endif /* ! HEADER_PQUEUE_H */
+
+--- ssl/d1_pkt.c	2009-04-23 18:32:40.000000000 +0200
++++ ssl/d1_pkt.c	2009-05-15 16:06:23.000000000 +0200
+@@ -207,6 +207,10 @@
+ 	DTLS1_RECORD_DATA *rdata;
+ 	pitem *item;
+ 
++	/* Limit the size of the queue to prevent DOS attacks */
++	if (pqueue_size(queue->q) >= 100)
++		return 0;
++		
+ 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ 	item = pitem_new(priority, rdata);
+ 	if (rdata == NULL || item == NULL)
diff --git a/security/openssl/files/patch-CVE-2009-1378 b/security/openssl/files/patch-CVE-2009-1378
new file mode 100644
index 0000000..9b00d55
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1378
@@ -0,0 +1,22 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
+
+--- ssl/d1_both.c	2009-05-18 09:57:08.000000000 +0200
++++ ssl/d1_both.c	2009-05-18 10:08:51.000000000 +0200
+@@ -561,7 +561,16 @@
+ 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ 		goto err;
+ 
+-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
++	/* Try to find item in queue, to prevent duplicate entries */
++	pq_64bit_init(&seq64);
++	pq_64bit_assign_word(&seq64, msg_hdr->seq);
++	item = pqueue_find(s->d1->buffered_messages, seq64);
++	pq_64bit_free(&seq64);
++	
++	/* Discard the message if sequence number was already there, is
++	 * too far in the future or the fragment is already in the queue */
++	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ 		{
+ 		unsigned char devnull [256];
+ 
-- 
1.6.3.1
How-To-Repeat: 
[1] http://rt.openssl.org/Ticket/Display.html?id=1930
[2] http://rt.openssl.org/Ticket/Display.html?id=1931
[3] http://article.gmane.org/gmane.comp.security.oss.general/1769
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-05-18 16:40:15 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2009-05-20 13:56:35 UTC
dinoex      2009-05-20 12:56:26 UTC

  FreeBSD ports repository

  Modified files:
    security/openssl     Makefile 
  Added files:
    security/openssl/files patch-CVE-2009-1377 patch-CVE-2009-1378 
  Log:
  - Security Fix
  Security:       CVE-2009-1377
  Security:       CVE-2009-1378
  Security:       http://article.gmane.org/gmane.comp.security.oss.general/1769
  PR:             134653
  
  Revision  Changes    Path
  1.146     +1 -0      ports/security/openssl/Makefile
  1.1       +46 -0     ports/security/openssl/files/patch-CVE-2009-1377 (new)
  1.1       +22 -0     ports/security/openssl/files/patch-CVE-2009-1378 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Dirk Meyer freebsd_committer freebsd_triage 2009-05-20 14:01:58 UTC
State Changed
From-To: open->patched

Patches committed, thanks. 
waiting for VuXML
Comment 4 dfilter service freebsd_committer freebsd_triage 2009-05-30 21:53:31 UTC
miwi        2009-05-30 20:53:22 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document openssl -- denial of service in DTLS implementation
  
  PR:             based on 134653
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.1957    +35 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Martin Wilke freebsd_committer freebsd_triage 2009-05-30 21:53:32 UTC
State Changed
From-To: patched->closed

documented thx for your good work.