Bug 1312219 - (CVE-2016-0799) CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160226,reported=2...
: Security
Depends On: 1312856 1312857 1312858 1321841 1321842 1331569 1331865 1331866 1366994
Blocks: 1314768 1395463
  Show dependency treegraph
 
Reported: 2016-02-26 01:44 EST by Huzaifa S. Sidhpurwala
Modified: 2017-09-12 11:35 EDT (History)
40 users (show)

See Also:
Fixed In Version: openssl 1.0.1s, openssl 1.0.2g
Doc Type: Bug Fix
Doc Text:
Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-02-26 01:44:51 EST
As per Upstream advisory:

The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second issue
dependent on compiler behaviour. These problems could enable attacks where large
amounts of untrusted data is passed to the BIO_*printf functions. If
applications use these functions in this way then they could be vulnerable.
OpenSSL itself uses these functions when printing out human-readable dumps of
ASN.1 data. Therefore applications that print this data could be vulnerable if
the data is from untrusted sources. OpenSSL command line applications could also
be vulnerable where they print out ASN.1 data, or if untrusted data is passed as
command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 23rd by Guido Vranken.  The fix was developed by Matt Caswell of the OpenSSL development team.
Comment 2 Martin Prpič 2016-02-29 07:02:22 EST
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1312858]
Comment 3 Martin Prpič 2016-02-29 07:02:28 EST
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1312856]
Comment 4 Martin Prpič 2016-02-29 07:02:34 EST
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1312857]
Comment 5 Martin Prpič 2016-02-29 07:33:10 EST
Acknowledgments:

Name: the OpenSSL project
Upstream: Guido Vranken
Comment 6 Fedora Update System 2016-03-03 15:22:27 EST
openssl-1.0.2g-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Huzaifa S. Sidhpurwala 2016-03-10 03:51:56 EST
Statement:

The original issue fixed by OpenSSL upstream contains two distinct fixes. The first one is a format string flaw in the internal fmtstr functions, which may result in a OOB read flaw when printing very large string. This issue was assigned CVE-2016-0799

The second issue relates to the internal doapr_outch function of OpenSSL. It can result in an OOB write, or cause memory leaks. This issue has been assigned CVE-2016-2842 by MITRE as is now tracked as https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2842
Comment 8 Fedora Update System 2016-03-13 05:51:42 EDT
openssl-1.0.1k-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2016-05-09 05:28:36 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 16 errata-xmlrpc 2016-05-10 00:20:10 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 19 jkeilson 2016-05-16 11:42:40 EDT
There appears to be a problem with the source RPM for RHEL6. It looks like something is wrong with one of the certs used in the tests.
Comment 23 Tomas Mraz 2016-05-17 10:12:46 EDT
(In reply to jkeilson from comment #19)
> There appears to be a problem with the source RPM for RHEL6. It looks like
> something is wrong with one of the certs used in the tests.

Unfortunately the certs used for the tests expired. If you want to rebuild the source you have to artificially manipulate the date on the machine used to the rebuild or disable the tests.

The certs will be updated in future openssl erratum.
Comment 25 Fedora Update System 2016-05-27 19:16:22 EDT
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2016-10-18 03:08:27 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 28 errata-xmlrpc 2016-12-15 17:16:24 EST
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html

Note You need to log in before you can comment on or make changes to this bug.