Bug 1297437 - mbedtls, polarssl: potential double free during certificate generation
mbedtls, polarssl: potential double free during certificate generation
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160108,reported=2...
: Security
Depends On: 1297438 1297439
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-11 09:15 EST by Andrej Nemec
Modified: 2016-01-27 11:12 EST (History)
3 users (show)

See Also:
Fixed In Version: mbedtls 2.2.1, mbedtls 2.1.4, mbedtls 1.3.16, polarssl 1.2.19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2016-01-11 09:15:27 EST
In case an entry with the given OID already exists in the list passed to
mbedtls_asn1_store_named_data() and there is not enough memory to allocate
room for the new value, the existing entry will be freed but the preceding
entry in the list will sill hold a pointer to it. (And the following entries
in the list are no longer reachable.) This results in memory leak or a double
free.

Upstream fix available here:

https://github.com/ARMmbed/mbedtls/commit/97b5209bc01ab8b3b519fdb46cefc04739433124

Upstream issue:

https://github.com/ARMmbed/mbedtls/issues/367
Comment 1 Andrej Nemec 2016-01-11 09:15:44 EST
Fedora 22, package polarssl, is not vulnerable because it currently has polarssl-1.3.9-3.fc22 in stable
Comment 2 Andrej Nemec 2016-01-11 09:16:07 EST
Created mbedtls tracking bugs for this issue:

Affects: fedora-all [bug 1297438]
Affects: epel-all [bug 1297439]
Comment 3 Morten Stevens 2016-01-11 09:50:42 EST
Please note: PolarSSL has been replaced with mbedTLS. We do no longer support PolarSSL.
Comment 4 Martin Prpič 2016-01-11 10:02:40 EST
(In reply to Morten Stevens from comment #3)
> Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> support PolarSSL.

Hi, unfortunately the polarssl package is still available in the latest version of Fedora. If you no longer support PolarSSL and will not build new fixed versions, then the package should be removed according to the guidelines in:

https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Comment 5 Morten Stevens 2016-01-11 10:19:31 EST
(In reply to Martin Prpic from comment #4)
> (In reply to Morten Stevens from comment #3)
> > Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> > support PolarSSL.
> 
> Hi, unfortunately the polarssl package is still available in the latest
> version of Fedora. If you no longer support PolarSSL and will not build new
> fixed versions, then the package should be removed according to the
> guidelines in:
> 
> https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Of course, that has already happened: https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/

Regarding to Fedora 22: You'll get mbedTLS automatically if you have the older PolarSSL installed.
Comment 6 Martin Prpič 2016-01-11 10:22:36 EST
(In reply to Morten Stevens from comment #5)
> (In reply to Martin Prpic from comment #4)
> > (In reply to Morten Stevens from comment #3)
> > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer
> > > support PolarSSL.
> > 
> > Hi, unfortunately the polarssl package is still available in the latest
> > version of Fedora. If you no longer support PolarSSL and will not build new
> > fixed versions, then the package should be removed according to the
> > guidelines in:
> > 
> > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
> 
> Of course, that has already happened:
> https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/
> 

Ah, cool, this build confused me because it's tagged as f23 but not actually in the mirrors:

http://koji.fedoraproject.org/koji/buildinfo?buildID=658695

> Regarding to Fedora 22: You'll get mbedTLS automatically if you have the
> older PolarSSL installed.

Fair enough, thanks!
Comment 7 Fedora Update System 2016-01-19 18:28:18 EST
mbedtls-2.2.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-01-19 18:53:26 EST
mbedtls-1.3.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-01-26 10:42:06 EST
mbedtls-2.2.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-01-27 10:58:27 EST
mbedtls-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-01-27 11:12:38 EST
mbedtls-2.2.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.