Bug 1331563 (CVE-2016-2176)

Summary: CVE-2016-2176 openssl: EBCDIC overread in X509_NAME_oneline()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ryan.parman, sardella, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20160503,reported=20160428,source=openssl,cvss2=2.6/AV:N/AC:H/Au:N/C:P/I:N/A:N,cwe=CWE-125,rhel-4/openssl=notaffected,rhel-4/openssl096b=notaffected,rhel-5/openssl=notaffected,rhel-5/openssl097a=notaffected,rhel-6/openssl=notaffected,rhel-6/openssl098e=notaffected,rhel-7/openssl=notaffected,rhel-7/openssl098e=notaffected,fedora-all/openssl=notaffected,fedora-all/mingw-openssl=notaffected,eap-5/openssl=notaffected,eap-6/openssl=notaffected,jbews-2/openssl=notaffected,jbews-3/openssl=notaffected,epel-5/openssl101e=notaffected,epel-7/mingw-openssl=notaffected
Fixed In Version: openssl 1.0.1t, openssl 1.0.2h Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-28 19:45:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1330106    
Attachments:
Description Flags
OpenSSL upstream fix none

Description Tomas Hoger 2016-04-28 19:41:14 UTC
Quoting form the draft of OpenSSL upstream advisory:

EBCDIC overread (CVE-2016-2176)
===============================

Severity: Low

ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result in
arbitrary stack data being returned in the buffer.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 5th March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

Comment 1 Tomas Hoger 2016-04-28 19:41:24 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: Guido Vranken

Comment 2 Tomas Hoger 2016-04-28 19:43:07 UTC
Created attachment 1152051 [details]
OpenSSL upstream fix

Comment 3 Tomas Hoger 2016-04-28 19:45:14 UTC
OpenSSL packages distributed by Red Hat do not enable EBCDIC support and are therefore unaffected by this issue.

Comment 4 Martin Prpič 2016-05-03 14:19:39 UTC
External References:

https://openssl.org/news/secadv/20160503.txt