Bug 1202395 (CVE-2015-0292)

Summary: CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, bmcclain, bugzilla-redhat, cdewolf, cfergeau, chrisw, dandread, darran.lofthouse, dblechte, erik-fedora, idith, jason.greene, jawilson, jboss-set, jclere, jdoyle, lgao, lsurette, marcandre.lureau, michal.skrivanek, mnewsome, myarboro, nlevinki, pgier, pslavice, rfortier, rhs-bugs, rh-spice-bugs, rjones, rsvoboda, security-response-team, sgirijan, srevivo, ssaha, steve.rigby, tmraz, twalsh, vbellur, vtunka, weli, ykaul, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za Doc Type: Bug Fix
Doc Text:
An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196738, 1203070, 1203071, 1203082, 1203083, 1203855, 1203856, 1205026, 1205494, 1205495, 1207507    
Bug Blocks: 1202442, 1205499    

Description Martin Prpič 2015-03-16 14:26:59 UTC 
A vulnerability existed in previous versions of OpenSSL related to the processing of base64-encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. This was addressed in previous versions of OpenSSL but has not been included in any security advisory until now.

This issue affects OpenSSL versions 1.0.1, 1.0.0, and 0.9.8. This issue is fixed in versions: 1.0.1h, 1.0.0m, and 0.9.8za.

Acknowledgements:

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Robert Dugal and David Ramos as the original reporters.
Comment 1 Tomas Hoger 2015-03-16 20:56:00 UTC 
Upstream bug report:
https://rt.openssl.org/Ticket/Display.html?id=2608&user=guest&pass=guest

Upstream commits:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0666f2 (1.0.1)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=84fe686 (1.0.0)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9febee0 (0.9.8)
Comment 3 Tomas Hoger 2015-03-17 22:51:56 UTC 
There is an integer underflow issue, which can result in the decoded bytes counter to have negative value (in the range of -1 to -16).  That value is subsequently used as memcpy() size argument, leading to attempt to copy close to SIZE_MAX bytes.  Hence program crashes before memcpy() completes.  However, memcpy() target buffer is overflown, so this has some code execution impact risk for e.g. multi-threaded programs.
Comment 7 Martin Prpič 2015-03-19 14:35:00 UTC 
External References:

https://openssl.org/news/secadv_20150319.txt
https://access.redhat.com/articles/1384453
Comment 8 Tomas Hoger 2015-03-19 19:05:30 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1196738]
Comment 9 Tomas Hoger 2015-03-19 19:05:34 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1203855]
Affects: epel-7 [bug 1203856]
Comment 10 Fedora Update System 2015-03-22 04:40:11 UTC 
openssl-1.0.1k-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-03-22 04:40:49 UTC 
openssl-1.0.1k-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-03-23 07:18:13 UTC 
openssl-1.0.1e-42.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-03-23 20:51:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0715 https://rhn.redhat.com/errata/RHSA-2015-0715.html
Comment 15 errata-xmlrpc 2015-03-23 23:04:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0716 https://rhn.redhat.com/errata/RHSA-2015-0716.html
Comment 18 errata-xmlrpc 2015-03-30 07:58:47 UTC 
This issue has been addressed in the following products:

  Red Hat Storage 2.1

Via RHSA-2015:0752 https://rhn.redhat.com/errata/RHSA-2015-0752.html
Comment 20 errata-xmlrpc 2015-04-13 11:54:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0800 https://rhn.redhat.com/errata/RHSA-2015-0800.html