Bug 1127499 (CVE-2014-3505)
Summary: | CVE-2014-3505 openssl: DTLS packet processing double free | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrew Griffiths <agriffit> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aavati, abaron, alonbl, aneelica, aortega, apevec, ayoung, bazulay, bmcclain, bressers, cdewolf, cfergeau, chazlett, chrisw, dallan, dandread, darran.lofthouse, dblechte, dgregor, dknox, ecohen, erik-fedora, fdeutsch, fnasser, gkotton, huwang, idith, iheim, jason.greene, jawilson, jclere, jdoyle, jgreguske, jrusnack, ktietz, lfarkas, lgao, lhh, lpeer, lsurette, markmc, myarboro, nlevinki, pgier, pslavice, pstehlik, rbalakri, rbryant, rfortier, rhs-bugs, rh-spice-bugs, rjones, rsvoboda, sclewis, shaines, smohan, ssaha, tmraz, vbellur, vtunka, weli, ycui, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.0.1i, openssl 1.0.0n, openssl 0.9.8zb | Doc Type: | Bug Fix |
Doc Text: |
A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-24 17:43:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1127695, 1127696, 1127697, 1127698, 1127704, 1127705, 1127709, 1127831, 1127832, 1127885, 1128013, 1128014, 1128015, 1128016, 1128405, 1128406, 1128961, 1181611 | ||
Bug Blocks: | 1127468, 1127506, 1138223, 1142543 |
Description
Andrew Griffiths
2014-08-07 02:01:13 UTC
External References: https://www.openssl.org/news/secadv_20140806.txt Upstream commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bff1ce4e6a1c57c3d0a5f9e4f85ba6385fccfe8b Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1127704] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1127705] Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1127709] openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Upstream vulnerabilities page now lists only versions starting with 0.9.8m as affected by this issue. It seems the reason is the following change, that introduced the problem: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff;f=ssl/d1_both.c;h=0a5c08d;hb=f86d651;hpb=efa59b8 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.11&v2=1.4.2.15 Before the change, it was not possible to reach the "err" goto label with item != NULL in dtls1_process_out_of_seq_message() so the OPENSSL_free(item) was never called there. While this change was introduced upstream in 0.9.8m, it was also backported to Red Hat Enterprise Linux 5 openssl packages based on upstream version 0.9.8e, as the change was the fix for CVE-2009-1378 (bug 501254). It was first included in openssl packages released via RHSA-2009:1335 as part of the Red Hat Enterprise Linux 5.4 minor release. The other part of the CVE-2014-3505 fix - the dtls1_reassemble_fragment() change - is only applicable to upstream versions 0.9.8o and 1.0.0a, that include following fixes for the DTLS fragment handling: https://rt.openssl.org/Ticket/Display.html?id=2230&user=guest&pass=guest https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c713a4c https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1507f3a IssueDescription: A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1053 https://rhn.redhat.com/errata/RHSA-2014-1053.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2014:1256 https://rhn.redhat.com/errata/RHSA-2014-1256.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1297 https://rhn.redhat.com/errata/RHSA-2014-1297.html |