Bug 1331441 (CVE-2016-2105)

Summary: CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akjain, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, fnasser, gzaronik, hkario, huwang, huzaifas, jaeshin, jason.greene, jawilson, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, ryan.parman, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBCS-87
Whiteboard:
Fixed In Version: openssl 1.0.1t, openssl 1.0.2h Doc Type: Bug Fix
Doc Text:
An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-22 12:28:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1331569, 1331570, 1331865, 1331866, 1332588, 1332589, 1332590, 1332591, 1332975, 1337149, 1337150, 1337151, 1366994    
Bug Blocks: 1330106, 1395463    
Attachments:
Description Flags
OpenSSL upstream fix none

Description Tomas Hoger 2016-04-28 14:04:59 UTC 
Quoting form the draft of OpenSSL upstream advisory:

EVP_EncodeUpdate overflow (CVE-2016-2105)
=========================================

Severity: Low

An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.

Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the OpenSSL
command line applications. These internal uses are not considered vulnerable
because all calls are bounded with length checks so no overflow is possible.
User applications that call these APIs directly with large amounts of untrusted
data may be vulnerable. (Note: Initial analysis suggested that the
PEM_write_bio* were vulnerable, and this is reflected in the patch commit
message. This is no longer believed to be the case).

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Comment 1 Tomas Hoger 2016-04-28 14:05:11 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Guido Vranken
Comment 2 Tomas Hoger 2016-04-28 14:06:17 UTC 
Created attachment 1151923 [details]
OpenSSL upstream fix
Comment 5 Martin Prpič 2016-05-03 14:19:29 UTC 
External References:

https://openssl.org/news/secadv/20160503.txt
Comment 6 Martin Prpič 2016-05-03 14:28:36 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1332590]
Comment 7 Martin Prpič 2016-05-03 14:28:42 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1332588]
Comment 8 Martin Prpič 2016-05-03 14:28:48 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1332589]
Affects: epel-7 [bug 1332591]
Comment 10 Tomas Hoger 2016-05-04 13:28:25 UTC 
Upstream commit:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5b814481f3573fa9677f3a31ee51322e2a22ee6a
Comment 11 Fedora Update System 2016-05-04 18:51:30 UTC 
openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-05-07 11:38:38 UTC 
openssl-1.0.2h-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2016-05-09 09:29:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 14 errata-xmlrpc 2016-05-10 04:21:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 17 Fedora Update System 2016-05-10 17:52:03 UTC 
openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-05-27 23:16:39 UTC 
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2016-08-22 18:09:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
Comment 26 errata-xmlrpc 2016-08-22 18:11:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6

Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html
Comment 27 errata-xmlrpc 2016-08-22 18:12:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html
Comment 28 errata-xmlrpc 2016-10-12 17:00:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.10

Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
Comment 29 errata-xmlrpc 2016-10-12 17:09:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
Comment 30 errata-xmlrpc 2016-10-12 17:20:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html
Comment 33 errata-xmlrpc 2016-10-18 07:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 35 errata-xmlrpc 2016-12-15 22:17:46 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html