Bug 1341705 (CVE-2016-2177)
| Summary: | CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anemec, apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dknox, dosoudil, emarquez, erik-fedora, gzaronik, jaeshin, jawilson, jclere, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, slawomir, sparks, tmraz, twalsh, vtunka, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl 1.0.1u, openssl 1.0.2i | Doc Type: | If docs needed, set a value |
| Doc Text: |
Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-23 07:53:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1341706, 1341707, 1341708, 1373890, 1373891, 1377623, 1377624, 1377625, 1377626, 1430538 | ||
| Bug Blocks: | 1341711, 1367347, 1395463, 1461790, 1479475 | ||
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1341708] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1341706] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1341707] Upstream fix for 1.0.2 (only Fedora-23 and mingw packages in Fedora-23/Epel-7): https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7 See upstream blog post about this issue: https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself. Upstream commit in 1.0.1 branch: https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. Pointer arithmetic undefined behaviour (CVE-2016-2177) ====================================================== Severity: Low Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. External References: https://www.openssl.org/news/secadv/20160922.txt This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html This issue has been addressed in the following products: JBoss Core Services for Solaris and Microsoft Windows systems Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658 |
A common idiom in the codebase is: if (p + len > limit) { return; /* Too long */ } where p points to some malloc'd data of SIZE bytes and limit == p + SIZE. 'len' could be from some externally supplied data, e.g. TLS message. This idiom is vulnerable to integer overflow vulnerability.