Bug 569774 (CVE-2010-0433)

Summary: CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mvadkert, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-14 10:04:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 560680, 560681, 567711, 573653, 573658, 1127896    
Bug Blocks:    

Description Tomas Hoger 2010-03-02 11:23:32 UTC 
Todd Rinaldo brought to our attention (bug #567711) a flaw in OpenSSL that can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello.

This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL's kssl_keytab_is_available() (ssl/kssl.c).  This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail).  If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal.  With certain krb5 versions, this leads to a NULL pointer dereference crash.
Comment 2 Tomas Hoger 2010-03-03 20:05:03 UTC 
Upstream fix:
  http://cvs.openssl.org/chngview?cn=19374
Comment 5 Fedora Update System 2010-03-23 07:27:29 UTC 
openssl-0.9.8m-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8m-1.fc11
Comment 6 errata-xmlrpc 2010-03-25 08:52:45 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0162 https://rhn.redhat.com/errata/RHSA-2010-0162.html
Comment 7 Fedora Update System 2010-03-25 12:53:09 UTC 
openssl-0.9.8n-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8n-1.fc11
Comment 8 Fedora Update System 2010-03-30 10:44:08 UTC 
openssl-1.0.0-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc13
Comment 9 Fedora Update System 2010-03-30 12:27:15 UTC 
openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc12
Comment 10 Tomas Hoger 2010-04-01 15:58:43 UTC 
krb5_sname_to_principal() return value check is missing in OpenSSL versions in Red Hat Enterprise Linux 3 and 4 too.  However, as noted in comment #0, NULL principal does not cause a crash in krb5_kt_get_entry() in all MIT krb5 versions.  In RHEL-3 and RHEL-4 krb5 library version, krb5_kt_get_entry() returns error without crashing.
Comment 11 Fedora Update System 2010-04-09 03:42:39 UTC 
openssl-1.0.0-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-04-16 23:49:43 UTC 
openssl-0.9.8n-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-05-18 16:53:57 UTC 
openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12
Comment 14 Fedora Update System 2010-05-25 18:41:33 UTC 
openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Tomas Hoger 2018-01-17 15:35:22 UTC 
(In reply to Tomas Hoger from comment #2)
> Upstream fix:
>   http://cvs.openssl.org/chngview?cn=19374

This is no longer working, the working link is:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=cca1cd9a3447dd067503e4a85ebd1679ee78a48e