Bug 1341705 - (CVE-2016-2177) CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160505,reported=2...
: Security
Depends On: 1373890 1373891 1430538 1341706 1341707 1341708 1377623 1377624 1377625 1377626
Blocks: 1367347 1341711 1395463
  Show dependency treegraph
 
Reported: 2016-06-01 10:36 EDT by Adam Mariš
Modified: 2017-03-08 16:43 EST (History)
37 users (show)

See Also:
Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-23 02:53:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-27 20:45 EDT

  None (edit)
Description Adam Mariš 2016-06-01 10:36:10 EDT
A common idiom in the codebase is:

if (p + len > limit)
{
	return; /* Too long */
}

where p points to some malloc'd data of SIZE bytes and limit == p + SIZE. 'len' could be from some externally supplied data, e.g. TLS message. This idiom is vulnerable to integer overflow vulnerability.
Comment 1 Adam Mariš 2016-06-01 10:36:58 EDT
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1341708]
Comment 2 Adam Mariš 2016-06-01 10:37:09 EDT
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1341706]
Comment 3 Adam Mariš 2016-06-01 10:37:21 EDT
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1341707]
Comment 4 Andrej Nemec 2016-06-09 03:50:39 EDT
Upstream fix for 1.0.2 (only Fedora-23 and mingw packages in Fedora-23/Epel-7):

https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7
Comment 6 Tomas Mraz 2016-06-29 03:20:55 EDT
See upstream blog post about this issue:
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/

In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself.
Comment 11 Tomas Hoger 2016-09-20 04:28:59 EDT
Upstream commit in 1.0.1 branch:

https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46
Comment 13 Tomas Hoger 2016-09-22 08:00:22 EDT
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Pointer arithmetic undefined behaviour (CVE-2016-2177)
======================================================

Severity: Low

Avoid some undefined pointer arithmetic

A common idiom in the codebase is to check limits in the following manner:
"p + len > limit"

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt
Comment 14 errata-xmlrpc 2016-09-27 09:53:02 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 15 errata-xmlrpc 2016-12-15 17:20:34 EST
This issue has been addressed in the following products:

   JBoss Core Services for Solaris and Microsoft Windows systems

Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
Comment 16 errata-xmlrpc 2017-01-25 15:06:01 EST
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194
Comment 17 errata-xmlrpc 2017-01-25 15:07:27 EST
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193

Note You need to log in before you can comment on or make changes to this bug.