Bug 1314757 (CVE-2016-2842)

Summary: CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dknox, dosoudil, erik-fedora, gzaronik, huzaifas, jason.greene, jawilson, jboss-set, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, petercho, pgier, psakar, pslavice, psotirop, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, security-response-team, slawomir, slukasik, tmraz, twalsh, vtunka, weli, ykawada, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBCS-93
Whiteboard:
Fixed In Version: openssl 1.0.1s, openssl 1.0.2g Doc Type: Bug Fix
Doc Text:
Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:49:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312856, 1312857, 1312858, 1314764, 1314765, 1314766, 1321841, 1321842, 1331569, 1331865, 1331866, 1366994    
Bug Blocks: 1314768, 1395463    

Description Adam Mariš 2016-03-04 12:15:42 UTC 
It was found that doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data. This issues is different than CVE-2016-0799.

Upstream patch:

https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73
Comment 1 Adam Mariš 2016-03-04 12:31:23 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1314766]
Comment 2 Adam Mariš 2016-03-04 12:31:38 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1314764]
Comment 3 Adam Mariš 2016-03-04 12:31:48 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1314765]
Comment 10 petercho 2016-04-11 04:26:26 UTC 
Can we do this in higher priority?
Clients concern this seriously as it is related to openssl.
Thanks.
Comment 12 Tomas Mraz 2016-04-29 15:17:27 UTC 
Note that the patch for CVE-2016-0799 fixes also this issue.
Comment 14 Martin Prpič 2016-05-03 14:53:21 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Guido Vranken
Comment 15 errata-xmlrpc 2016-05-09 09:28:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 16 errata-xmlrpc 2016-05-10 04:20:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 21 errata-xmlrpc 2016-10-18 07:08:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 22 errata-xmlrpc 2016-12-15 22:16:35 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html