Bug 623483 (CVE-2010-2939)
|Summary:||CVE-2010-2939 openssl: double-free vulnerability in ssl3_get_key_exchange()|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-08-12 16:34:07 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Vincent Danen 2010-08-11 21:41:54 UTC
George Guninski reported  a double-free flaw in openssl's client implementation that could lead to a crash when ECDH is used. It was reported against 1.0.0a but the code being patched  to correct the flaw has also been identified in 0.9.8 .  http://marc.info/?l=openssl-dev&m=128118163216952&w=2  http://marc.info/?l=openssl-dev&m=128128256314328&w=2  http://article.gmane.org/gmane.comp.security.oss.general/3298
Comment 1 Vincent Danen 2010-08-11 21:44:01 UTC
I'm not 100% sure of the impact here as it looks like it might just be in the openssl client. I don't know if this code is used by other clients linked to the openssl libraries or not, so at this point cannot say if other applications are impacted by this.
Comment 2 Tomas Mraz 2010-08-11 22:10:24 UTC
Except this code is not compiled in on our openssl - no ECC support there.
Comment 3 Vincent Danen 2010-08-12 04:03:30 UTC
ECC or ECDH? So where this problem falls, we don't compile that support into any version of openssl we provide?
Comment 4 Tomas Mraz 2010-08-12 07:20:08 UTC
Yes, it's in #ifndef OPENSSL_NO_ECDH. And the ECDH is not even in the source tarball due to patent concerns with ECC.
Comment 6 Vincent Danen 2010-08-12 16:34:07 UTC
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5 as they did not include support for ECDH.