Bug 309801 - (CVE-2007-5135) CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one
CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one
Status: RELEASE_PENDING
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
reported=20070927,source=cve,public=2...
:
: 305811 (view as bug list)
Depends On: 309831 309841 309851 309861 309871 309881
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-27 15:39 EDT by Mark J. Cox (Product Security)
Modified: 2016-03-04 06:32 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-27 15:39:40 EDT
In 2006, Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer (CVE-2006-3738). Few applications make use
of this vulnerable function and generally it is used only when applications
are compiled for debugging.

Moritz Jodeit found that a single byte (nul) overflow was still possible:
http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded

Things that use SSL_get_shared_ciphers():

        openssl: s_server usage
        ckermit: uses function
        mysql-4.1.10a: in a debugging #ifdef
        exim: only if debugging
Comment 4 Mark J. Cox (Product Security) 2007-10-16 12:40:52 EDT
Note that this issue is only of moderate security severity.  Few applications
make use of this vulnerable function and generally it is used only when
applications are compiled for debugging.  In addition this single-byte overflow
is not likely to be exploitable which is why the OpenSSL team did not do an
immediate fix for this issue.

We fixed this issue in Red Hat Enterprise Linux 5 in early Oct 2007 because we
had to issue an update to fix a higher severity issue that only affected the
RHEL5 OpenSSL.

An update to fix this issue is in progress for RHEL2.1 and RHEL3 and will be
released when completed (depending on it passing Quality Engineering and the
queue of higher severity issues)

An update to fix this issue for RHEL4 will be issued after RHEL4.6 is released.
Comment 6 Mark J. Cox (Product Security) 2007-10-22 06:48:32 EDT
The update to correct this issue for RHEL2.1,3,5 have been released.  An update
to correct this issue for RHEL4 will be made available after the release of
update 6 (4.6)

Note You need to log in before you can comment on or make changes to this bug.