Red Hat Bugzilla – Bug 1202395
CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
Last modified: 2018-07-18 10:36:48 EDT
A vulnerability existed in previous versions of OpenSSL related to the processing of base64-encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. This was addressed in previous versions of OpenSSL but has not been included in any security advisory until now. This issue affects OpenSSL versions 1.0.1, 1.0.0, and 0.9.8. This issue is fixed in versions: 1.0.1h, 1.0.0m, and 0.9.8za. Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Robert Dugal and David Ramos as the original reporters.
Upstream bug report: https://rt.openssl.org/Ticket/Display.html?id=2608&user=guest&pass=guest Upstream commits: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0666f2 (1.0.1) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=84fe686 (1.0.0) https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9febee0 (0.9.8)
There is an integer underflow issue, which can result in the decoded bytes counter to have negative value (in the range of -1 to -16). That value is subsequently used as memcpy() size argument, leading to attempt to copy close to SIZE_MAX bytes. Hence program crashes before memcpy() completes. However, memcpy() target buffer is overflown, so this has some code execution impact risk for e.g. multi-threaded programs.
External References: https://openssl.org/news/secadv_20150319.txt https://access.redhat.com/articles/1384453
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1196738]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1203855] Affects: epel-7 [bug 1203856]
openssl-1.0.1k-6.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1k-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-42.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0715 https://rhn.redhat.com/errata/RHSA-2015-0715.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0716 https://rhn.redhat.com/errata/RHSA-2015-0716.html
This issue has been addressed in the following products: Red Hat Storage 2.1 Via RHSA-2015:0752 https://rhn.redhat.com/errata/RHSA-2015-0752.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:0800 https://rhn.redhat.com/errata/RHSA-2015-0800.html