Bug 104893 - (CVE-2003-0543, CVE-2003-0544, CVE-2003-0545) CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes
CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: openssl (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-23 07:06 EDT by Mark J. Cox (Product Security)
Modified: 2009-05-15 07:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-02 04:05:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2003-09-23 07:06:15 EDT
Notified via NISCC on Sep12, NISCC 006489

CAN-2003-0543 OpenSSL 0.96/0.97 ASN.1 int overflow
CAN-2003-0544 OpenSSL 0.96/0.97 ASN.1 read one character

NISCC found two bugs in OpenSSL 0.9.6 which can be triggered by sending a
carefully crafted SSL client certificate containing an unusual ASN.1 tag
value, such a certificate, could cause an application using OpenSSL to terminate
unexpectedly.  

RHSA-2003:293 in progress

Embargoed until November 4th 2003.
Comment 1 Mark J. Cox (Product Security) 2003-09-29 05:36:16 EDT
Actually this is embargoed until September 30th not November 4th (my mistake). 
A better description of the issues:

NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values
can cause OpenSSL to crash. A remote attacker could trigger this bug by
sending a carefully-crafted SSL client certificate to an application. The
effects of such an attack vary depending on the application targetted;
against Apache the effects are limited, as the attack would only cause
child processes to die and be replaced. An attack against other
applications that use OpenSSL could result in a Denial of Service. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2003-0543 and CAN-2003-0544 to this issue.

[CAN-2003-0543 is the fix that prevents the tag from overflowing an int.

CAN-2003-0544 is the fix that decrements the number of characters which can be
read when the final long form octet is read. Without this it can read one
character past end of buffer whenever the long form is used.]

NISCC testing of implementations of the SSL protocol uncovered an
additional bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected
as invalid by the parser can trigger a bug in deallocation of a structure,
leading to a double free. A remote attacker could trigger this bug by
sending a carefully-crafted SSL client certificate to an application. It
may be possible for an attacker to exploit this issue to execute arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0545 to this issue.

This will be RHSA-2003:293
Comment 2 Mark J. Cox (Product Security) 2003-10-02 04:05:42 EDT
The errata 
http://rhn.redhat.com/errata/RHSA-2003-293.html 
was released shortly after 1200UTC on 30th September.

Making this bug public.
Comment 3 Jan Lieskovsky 2009-05-15 07:02:46 EDT
More details from the CERT VU#935264, OpenSSL "secadv_20030930.txt" upstream advisory (http://www.kb.cert.org/vuls/id/935264, 
          http://www.openssl.org/news/secadv_20030930.txt)

advisory for the CAN/CVE-2003-0545 issue:

<cite>

1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.

</cite>

The CAN-2003-0545 (currently known as CVE-2003-0545) issue does NOT
affect the versions of the openssl096 package, as shipped with Red Hat
Enterprise Linux 2.1, 3, and 4.

Note You need to log in before you can comment on or make changes to this bug.