Bug 492304 (CVE-2009-0590)

Summary: CVE-2009-0590 openssl: ASN1 printing crash
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: green, kreilly, nalin, ovirt-maint, rprice, tao, tmraz, vdanen, yamato
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0591
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-25 09:28:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 482112, 494578, 530522, 547448, 563125, 563127, 1127896    
Bug Blocks:    

Comment 2 Mark J. Cox 2009-03-26 12:10:41 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0590 to
the following vulnerability:

ASN1 printing crash
===================

The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the encoded length
of the string is illegal. (CVE-2009-0590)

Any OpenSSL application which prints out the contents of a certificate could
be affected by this bug, including SSL servers, clients and S/MIME software.

Fixed in 0.9.8k 
http://cvs.openssl.org/chngview?cn=17907
Comment 3 Tomas Hoger 2009-03-30 08:42:44 UTC 
Upstream security advisory:
  http://openssl.org/news/secadv_20090325.txt
Comment 4 Tomas Hoger 2009-03-30 08:59:53 UTC 
The impact of this flaw is limited to crash of the applications calling affected openssl function.  There are currently no known applications printing untrusted certificates, where application crash would be considered a security issue.

Future opnessl packages updates may address this flaw.
Comment 9 Tomas Hoger 2009-04-07 08:48:33 UTC 
This issue may only affect applications using ASN1_STRING_print_ex() (or ASN1_STRING_print_ex_fp(), or ASN1_item_print() calling ASN1_STRING_print_ex()) OpenSSL function to print untrusted inputs (such as values from not verified X509 client certificates).

No application shipped in Red Hat Enterprise Linux uses affected function.  It is only used in sslinfo extension shipped with the recent versions of the PostgreSQL server (contrib module, not enabled by default; only included in postgresql-contrib packages in Red Hat Application Stack 2), where it is used to print information from the client certificate that was previously used to successfully authenticate user's connection (i.e. it has been issued by a trusted CA and hence certificate is trusted).  Additional searches suggest that the function is rarely used by other open source projects not included in any Red Hat product.

There's currently no plan to release an asynchronous security update to address this low-impact issue.  Future OpenSSL packages updates may address this flaw.
Comment 17 errata-xmlrpc 2009-09-02 11:00:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1335 https://rhn.redhat.com/errata/RHSA-2009-1335.html
Comment 29 errata-xmlrpc 2010-03-25 09:15:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0163 https://rhn.redhat.com/errata/RHSA-2010-0163.html