Bug 476671 (CVE-2008-5077)

Summary: CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Michal Marciniszyn <mmarcini>
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, mmarcini, rjones, rob.townley, security-response-team, syeghiay, tmraz, tvujec, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 07:25:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 476676, 476677, 476678, 476679, 476680, 476681, 476682, 476683, 476684, 476685, 476686, 476687, 476688, 482112, 530522, 673086, 813718, 1127896    
Bug Blocks:    
Attachments:
Description Flags
proposed patch none

Description Mark J. Cox 2008-12-16 15:15:56 UTC 
Draft advisory from OpenSSL team:

OpenSSL Security Advisory [07-Jan-2009]

Incorrect checks for malformed signatures
-------------------------------------------

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

The OpenSSL security team would like to thank the Google Security Team
for reporting this issue.

Who is affected?
-----------------

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
------------------------------------

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source. Please note: this patch also includes fixes for a
few other cases where return codes are not correctly checked, but
these do not have a security implication

Recommendations for projects using OpenSSL
------------------------------------------

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
-----------------------

Any SSL/TLS server with clients that OpenSSL to verify DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or should stop using
DSA/ECDSA certificates. Note that unless certificates are revoked
(and clients check for revocation) impersonation will still be
possible until the certificate expires.
Comment 1 Mark J. Cox 2008-12-16 15:17:00 UTC 
Created attachment 327115 [details]
proposed patch
Comment 8 Mark J. Cox 2009-01-07 12:58:46 UTC 
now public, removing embargo
http://openssl.org/news/secadv_20090107.txt
Comment 9 Fedora Update System 2009-01-07 17:47:54 UTC 
openssl-0.9.8g-9.12.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-9.12.fc9
Comment 10 Fedora Update System 2009-01-07 17:49:40 UTC 
openssl-0.9.8g-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-12.fc10
Comment 11 Fedora Update System 2009-01-08 04:19:08 UTC 
openssl-0.9.8g-9.12.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-01-08 04:19:42 UTC 
openssl-0.9.8g-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Tomas Hoger 2009-01-09 07:38:49 UTC 
oCERT advisory:
  http://www.ocert.org/advisories/ocert-2008-016.html
Comment 14 Richard W.M. Jones 2009-01-11 23:12:41 UTC 
Is it planned to rebuild this in Rawhide?  I notice that F-10 contains the
fix but Rawhide does not.
Comment 15 Tomas Mraz 2009-01-12 07:29:29 UTC 
I'm currently working on upgrade of openssl in rawhide to the latest released upstream version which already contains the fix. It will take some time though as we will need a special build target for rebuild of the dependent packages.
Comment 17 Tomas Hoger 2012-06-21 07:25:25 UTC 
https://access.redhat.com/security/cve/CVE-2008-5077