Bug 1341705 (CVE-2016-2177) - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
Summary: CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160505,reported=2...
Depends On: 1341706 1341707 1341708 1373890 1373891 1377623 1377624 1377625 1377626 1430538
Blocks: 1341711 1367347 1395463 1461790 1479475
TreeView+ depends on / blocked
 
Reported: 2016-06-01 14:36 UTC by Adam Mariš
Modified: 2019-06-08 21:14 UTC (History)
37 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash.
Clone Of:
Environment:
Last Closed: 2017-01-23 07:53:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1940 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-28 00:45:08 UTC
Red Hat Product Errata RHSA-2016:2957 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release 2016-12-16 03:11:19 UTC
Red Hat Product Errata RHSA-2017:0193 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Release on RHEL 6 2017-01-26 01:05:09 UTC
Red Hat Product Errata RHSA-2017:0194 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Release on RHEL 7 2017-01-26 01:04:50 UTC
Red Hat Product Errata RHSA-2017:1658 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-29 00:20:17 UTC
Red Hat Product Errata RHSA-2017:1659 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-28 23:59:52 UTC

Description Adam Mariš 2016-06-01 14:36:10 UTC
A common idiom in the codebase is:

if (p + len > limit)
{
	return; /* Too long */
}

where p points to some malloc'd data of SIZE bytes and limit == p + SIZE. 'len' could be from some externally supplied data, e.g. TLS message. This idiom is vulnerable to integer overflow vulnerability.

Comment 1 Adam Mariš 2016-06-01 14:36:58 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1341708]

Comment 2 Adam Mariš 2016-06-01 14:37:09 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1341706]

Comment 3 Adam Mariš 2016-06-01 14:37:21 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1341707]

Comment 4 Andrej Nemec 2016-06-09 07:50:39 UTC
Upstream fix for 1.0.2 (only Fedora-23 and mingw packages in Fedora-23/Epel-7):

https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7

Comment 6 Tomas Mraz 2016-06-29 07:20:55 UTC
See upstream blog post about this issue:
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/

In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself.

Comment 11 Tomas Hoger 2016-09-20 08:28:59 UTC
Upstream commit in 1.0.1 branch:

https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46

Comment 13 Tomas Hoger 2016-09-22 12:00:22 UTC
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Pointer arithmetic undefined behaviour (CVE-2016-2177)
======================================================

Severity: Low

Avoid some undefined pointer arithmetic

A common idiom in the codebase is to check limits in the following manner:
"p + len > limit"

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt

Comment 14 errata-xmlrpc 2016-09-27 13:53:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 15 errata-xmlrpc 2016-12-15 22:20:34 UTC
This issue has been addressed in the following products:

   JBoss Core Services for Solaris and Microsoft Windows systems

Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html

Comment 16 errata-xmlrpc 2017-01-25 20:06:01 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194

Comment 17 errata-xmlrpc 2017-01-25 20:07:27 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193

Comment 20 errata-xmlrpc 2017-06-28 20:01:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659

Comment 21 errata-xmlrpc 2017-06-28 20:20:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658


Note You need to log in before you can comment on or make changes to this bug.