Bug 1297437

Summary: mbedtls, polarssl: potential double free during certificate generation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mads, mstevens, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mbedtls 2.2.1, mbedtls 2.1.4, mbedtls 1.3.16, polarssl 1.2.19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:49:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297438, 1297439    
Bug Blocks:    

Description Andrej Nemec 2016-01-11 14:15:27 UTC 
In case an entry with the given OID already exists in the list passed to
mbedtls_asn1_store_named_data() and there is not enough memory to allocate
room for the new value, the existing entry will be freed but the preceding
entry in the list will sill hold a pointer to it. (And the following entries
in the list are no longer reachable.) This results in memory leak or a double
free.

Upstream fix available here:

https://github.com/ARMmbed/mbedtls/commit/97b5209bc01ab8b3b519fdb46cefc04739433124

Upstream issue:

https://github.com/ARMmbed/mbedtls/issues/367
Comment 1 Andrej Nemec 2016-01-11 14:15:44 UTC 
Fedora 22, package polarssl, is not vulnerable because it currently has polarssl-1.3.9-3.fc22 in stable
Comment 2 Andrej Nemec 2016-01-11 14:16:07 UTC 
Created mbedtls tracking bugs for this issue:

Affects: fedora-all [bug 1297438]
Affects: epel-all [bug 1297439]
Comment 3 Morten Stevens 2016-01-11 14:50:42 UTC 
Please note: PolarSSL has been replaced with mbedTLS. We do no longer support PolarSSL.
Comment 4 Martin Prpič 2016-01-11 15:02:40 UTC 
(In reply to Morten Stevens from comment #3)
> Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> support PolarSSL.

Hi, unfortunately the polarssl package is still available in the latest version of Fedora. If you no longer support PolarSSL and will not build new fixed versions, then the package should be removed according to the guidelines in:

https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Comment 5 Morten Stevens 2016-01-11 15:19:31 UTC 
(In reply to Martin Prpic from comment #4)
> (In reply to Morten Stevens from comment #3)
> > Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> > support PolarSSL.
> 
> Hi, unfortunately the polarssl package is still available in the latest
> version of Fedora. If you no longer support PolarSSL and will not build new
> fixed versions, then the package should be removed according to the
> guidelines in:
> 
> https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Of course, that has already happened: https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/

Regarding to Fedora 22: You'll get mbedTLS automatically if you have the older PolarSSL installed.
Comment 6 Martin Prpič 2016-01-11 15:22:36 UTC 
(In reply to Morten Stevens from comment #5)
> (In reply to Martin Prpic from comment #4)
> > (In reply to Morten Stevens from comment #3)
> > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> > > support PolarSSL.
> > 
> > Hi, unfortunately the polarssl package is still available in the latest
> > version of Fedora. If you no longer support PolarSSL and will not build new
> > fixed versions, then the package should be removed according to the
> > guidelines in:
> > 
> > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
> 
> Of course, that has already happened:
> https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/
> 

Ah, cool, this build confused me because it's tagged as f23 but not actually in the mirrors:

http://koji.fedoraproject.org/koji/buildinfo?buildID=658695

> Regarding to Fedora 22: You'll get mbedTLS automatically if you have the
> older PolarSSL installed.

Fair enough, thanks!
Comment 7 Fedora Update System 2016-01-19 23:28:18 UTC 
mbedtls-2.2.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-01-19 23:53:26 UTC 
mbedtls-1.3.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-01-26 15:42:06 UTC 
mbedtls-2.2.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-01-27 15:58:27 UTC 
mbedtls-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-01-27 16:12:38 UTC 
mbedtls-2.2.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.