Bug 570924 (CVE-2009-3245)
Summary: | CVE-2009-3245 openssl: missing bn_wexpand return value checks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ethan.baker, mjc, mvadkert, nalin, qe-baseos-security, rcvalle, tao, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3245 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-13 20:08:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 560680, 560681, 573653, 573658, 574765, 574766, 574767, 577859, 583820, 659771, 1127896 | ||
Bug Blocks: |
Description
Vincent Danen
2010-03-05 21:04:13 UTC
Missing bn_wexpand return value check may cause BIGNUM value to have data buffer of an insufficient size. If called right after the creation of BIGNUM, data pointer will be NULL, hence leading to NULL pointer deref crashes. If bn_wexpand is used to expand / reallocate existing BIGNUM, failed malloc will cause d and dmax to be left unchanged. Depending on the code following bn_wexpand, this can lead to buffer over-reads or over-writes. First report of the missing bn_wexpand return value check was for and occurrence in crypt/bn/bn_mul.c (see upstream bug report mentioned in comment #0). Upstream commit: http://cvs.openssl.org/chngview?cn=18936 This problem affects openssl packages in Red Hat Enterprise Linux 5. Older openssl packages in RHEL 3 and RHEL 4 are not affected. Follow-up report adding few more missing bn_wexpand return value checks: http://cvs.openssl.org/chngview?cn=19309 Changes following files: - crypto/bn/bn_div.c - change is in the old and no longer used implementation (inside #if 0 block), so this is non-issue - crypto/bn/bn_gf2m.c - affected function - BN_GF2m_add - is not used in Red Hat openssl packages as they do not have support for Elliptic Curve Public-Key Crypto; this function is used by the openssl ECC code - affected code does not exist in openssl 0.9.7 in RHEL3 and RHEL4 - this is exposed via libcrypto - crypto/ec/ec2_smpl.c - ECC code again, not enabled in Red Hat openssl packages - engines/e_ubsec.c - this code implements "UBSEC hardware engine support" - limited to NULL pointer deref (bn_wexpand called right after BN_new) - affects all openssl versions (crypto/engine/hw_ubsec.c in 0.9.7) There are no other bn_wexpand calls missing return value check in openssl packages in RHEL 3, 4, or 5 as well as current 1.0.0-beta5 (RHEL 6 / Rawhide). Summary of affected versions: openssl packages in Red Hat Enterprise Linux 5 are affected by bn_mul.c, bn_gf2m.c (this function is only used by openssl's ECC code, which is not included in Red Hat packages) and e_ubsec.c issues. openssl packages in Red Hat Enterprise Linux 3 and 4 are only affected by hw_ubsec.c issue (impact is limited to NULL pointer dereferrence and the flaw is hardware engine specific, so low impact on RHEL3 and RHEL4 packages). openssl-0.9.8m-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/openssl-0.9.8m-1.fc11 This issue has been addressed in openssl packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0162 https://rhn.redhat.com/errata/RHSA-2010-0162.html This issue has been addressed in openssl096b packages in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0173 https://rhn.redhat.com/errata/RHSA-2010-0173.html openssl-0.9.8n-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/openssl-0.9.8n-1.fc11 As noted in comment #3, this issue has low security impact on openssl packages in Red Hat Enterprise Linux 3 and 4. Future openssl updates in those products will address this flaw. CVSSv2 score for RHEL-3 and RHEL-4 openssl: 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P openssl-1.0.0-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc13 openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc12 openssl-1.0.0-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. openssl-0.9.8n-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12 openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Virtualization for RHEL-5 Via RHSA-2010:0440 https://rhn.redhat.com/errata/RHSA-2010-0440.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0977 https://rhn.redhat.com/errata/RHSA-2010-0977.html This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html Statement: (none) |