Bug 802489 (CVE-2012-1165)

Summary: CVE-2012-1165 openssl: mime_param_cmp NULL dereference crash
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anande, mvadkert, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120312,reported=20120312,source=redhat,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-4/openssl=wontfix,rhel-4/openssl096b=wontfix,rhel-5/openssl=affected,rhel-5/openssl097a=wontfix,rhel-6/openssl=affected,rhel-6/openssl098e=wontfix,jbews-1/openssl=affected,fedora-all/openssl=affected,fedora-all/mingw32-openssl=affected,epel-5/mingw32-openssl=affected,cwe=CWE-476[auto]
Fixed In Version: openssl 0.9.8u, openssl 1.0.0h Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-25 03:58:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 802816, 802817, 802820, 804550, 804551, 804552, 804553    
Bug Blocks: 802502    

Description Tomas Hoger 2012-03-12 12:58:10 EDT
A NULL pointer dereference flaw was found in OpenSSL's mime_param_cmp.  A specially crafted S/MIME input headers could cause an application using OpenSSL to crash during S/MIME message verification or decryption.

This is similar to the mime_hdr_cmp issue tracked via bug 798100.

Upstream commit:
  http://cvs.openssl.org/chngview?cn=22252
  and cn 22243 and 22244 for 0.9.8 and 1.0.0 branch commits

Fixed upstream in versions: 0.9.8u and 1.0.0h
Comment 3 Tomas Hoger 2012-03-13 10:55:06 EDT
Created mingw32-openssl tracking bugs for this issue

Affects: fedora-all [bug 802817]
Affects: epel-5 [bug 802820]
Comment 4 Tomas Hoger 2012-03-13 10:59:24 EDT
Created openssl tracking bugs for this issue

Affects: fedora-all [bug 802816]
Comment 10 errata-xmlrpc 2012-03-27 18:57:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0426 https://rhn.redhat.com/errata/RHSA-2012-0426.html
Comment 11 Fedora Update System 2012-04-10 23:52:19 EDT
openssl-1.0.0h-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-04-11 13:05:41 EDT
openssl-1.0.0h-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2012-04-11 13:06:32 EDT
openssl-1.0.0h-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-04-11 22:49:41 EDT
openssl-1.0.0h-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Ken Stailey 2012-07-25 12:30:05 EDT
There is no patch for openssl-0.9.7a/crypto/pkcs7/pk7_mime.c in openssl-0.9.7a-43.20.el4.src.rpm 

Neither mime_hdr_cmp() or mime_param_cmp() in openssl-0.9.7a/crypto/pkcs7/pk7_mime.c does any checking for NULL values.

Is RHEL 4 ELS vulnerable to NULL pointer could be dereferencing when parsing certain S/MIME messages?  If so will there be a fix released?  Thanks.
Comment 16 Tomas Hoger 2012-07-26 03:42:29 EDT
(In reply to comment #15)
> Is RHEL 4 ELS vulnerable to NULL pointer could be dereferencing when parsing
> certain S/MIME messages?  If so will there be a fix released?

This affects Red Hat Enterprise Linux 4 openssl packages and is not planned to get fixed.  Refer to Life Cycle and Update Policies pages for details on what fixes are addressed during the Extended Life Phase via ELS:

https://access.redhat.com/support/policy/updates/errata/#Extended_Life_Cycle_Phase
Comment 17 errata-xmlrpc 2012-09-24 12:02:43 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.0

Via RHSA-2012:1308 https://rhn.redhat.com/errata/RHSA-2012-1308.html
Comment 18 errata-xmlrpc 2012-09-24 12:03:43 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1307 https://rhn.redhat.com/errata/RHSA-2012-1307.html
Comment 19 errata-xmlrpc 2012-09-24 12:04:52 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:1306 https://rhn.redhat.com/errata/RHSA-2012-1306.html