Bug 1312219 (CVE-2016-0799)

Summary: CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, cdewolf, csutherl, dblechte, dougsland, eedri, erik-fedora, gzaronik, jawilson, jclere, jkeilson, ktietz, lgao, lsurette, marcandre.lureau, mbabacek, mgoldboi, michal.skrivanek, mjc, mturk, myarboro, pstehlik, redhat-bugzilla, rjones, sardella, security-response-team, slawomir, slong, slukasik, srevivo, tmraz, twalsh, weli, ycui, ykaul, ykawada, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBCS-94
Whiteboard:
Fixed In Version: openssl 1.0.1s, openssl 1.0.2g Doc Type: Bug Fix
Doc Text:
Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1312856, 1312857, 1312858, 1321841, 1321842, 1331569, 1331865, 1331866, 1366994    
Bug Blocks: 1314768, 1395463    

Description Huzaifa S. Sidhpurwala 2016-02-26 06:44:51 UTC 
As per Upstream advisory:

The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second issue
dependent on compiler behaviour. These problems could enable attacks where large
amounts of untrusted data is passed to the BIO_*printf functions. If
applications use these functions in this way then they could be vulnerable.
OpenSSL itself uses these functions when printing out human-readable dumps of
ASN.1 data. Therefore applications that print this data could be vulnerable if
the data is from untrusted sources. OpenSSL command line applications could also
be vulnerable where they print out ASN.1 data, or if untrusted data is passed as
command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 23rd by Guido Vranken.  The fix was developed by Matt Caswell of the OpenSSL development team.
Comment 1 Martin Prpič 2016-02-29 12:00:02 UTC 
Public via:

Upstream patch:

http://git.openssl.org/?p=openssl.git;a=commitdiff;h=9cb177301fdab492e4cfef376b28339afe3ef663

Detailed write-up:

https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/
Comment 2 Martin Prpič 2016-02-29 12:02:22 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1312858]
Comment 3 Martin Prpič 2016-02-29 12:02:28 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1312856]
Comment 4 Martin Prpič 2016-02-29 12:02:34 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1312857]
Comment 5 Martin Prpič 2016-02-29 12:33:10 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Guido Vranken
Comment 6 Fedora Update System 2016-03-03 20:22:27 UTC 
openssl-1.0.2g-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Huzaifa S. Sidhpurwala 2016-03-10 08:51:56 UTC 
Statement:

The original issue fixed by OpenSSL upstream contains two distinct fixes. The first one is a format string flaw in the internal fmtstr functions, which may result in a OOB read flaw when printing very large string. This issue was assigned CVE-2016-0799

The second issue relates to the internal doapr_outch function of OpenSSL. It can result in an OOB write, or cause memory leaks. This issue has been assigned CVE-2016-2842 by MITRE as is now tracked as https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2842
Comment 8 Fedora Update System 2016-03-13 09:51:42 UTC 
openssl-1.0.1k-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2016-05-09 09:28:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 16 errata-xmlrpc 2016-05-10 04:20:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 19 jkeilson 2016-05-16 15:42:40 UTC 
There appears to be a problem with the source RPM for RHEL6. It looks like something is wrong with one of the certs used in the tests.
Comment 23 Tomas Mraz 2016-05-17 14:12:46 UTC 
(In reply to jkeilson from comment #19)
> There appears to be a problem with the source RPM for RHEL6. It looks like
> something is wrong with one of the certs used in the tests.

Unfortunately the certs used for the tests expired. If you want to rebuild the source you have to artificially manipulate the date on the machine used to the rebuild or disable the tests.

The certs will be updated in future openssl erratum.
Comment 25 Fedora Update System 2016-05-27 23:16:22 UTC 
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2016-10-18 07:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 28 errata-xmlrpc 2016-12-15 22:16:24 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html