Bug 309801 (CVE-2007-5135)

Summary: CVE-2007-5135 openssl: SSL_get_shared_ciphers() off-by-one
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 09:47:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 309831, 309841, 309851, 309861, 309871, 309881    
Bug Blocks:    

Description Mark J. Cox 2007-09-27 19:39:40 UTC
In 2006, Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer (CVE-2006-3738). Few applications make use
of this vulnerable function and generally it is used only when applications
are compiled for debugging.

Moritz Jodeit found that a single byte (nul) overflow was still possible:
http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded

Things that use SSL_get_shared_ciphers():

        openssl: s_server usage
        ckermit: uses function
        mysql-4.1.10a: in a debugging #ifdef
        exim: only if debugging

Comment 4 Mark J. Cox 2007-10-16 16:40:52 UTC
Note that this issue is only of moderate security severity.  Few applications
make use of this vulnerable function and generally it is used only when
applications are compiled for debugging.  In addition this single-byte overflow
is not likely to be exploitable which is why the OpenSSL team did not do an
immediate fix for this issue.

We fixed this issue in Red Hat Enterprise Linux 5 in early Oct 2007 because we
had to issue an update to fix a higher severity issue that only affected the
RHEL5 OpenSSL.

An update to fix this issue is in progress for RHEL2.1 and RHEL3 and will be
released when completed (depending on it passing Quality Engineering and the
queue of higher severity issues)

An update to fix this issue for RHEL4 will be issued after RHEL4.6 is released.


Comment 6 Mark J. Cox 2007-10-22 10:48:32 UTC
The update to correct this issue for RHEL2.1,3,5 have been released.  An update
to correct this issue for RHEL4 will be made available after the release of
update 6 (4.6)