Bug 309801 (CVE-2007-5135) - CVE-2007-5135 openssl: SSL_get_shared_ciphers() off-by-one
Summary: CVE-2007-5135 openssl: SSL_get_shared_ciphers() off-by-one
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-5135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
: 305811 (view as bug list)
Depends On: 309831 309841 309851 309861 309871 309881
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-27 19:39 UTC by Mark J. Cox
Modified: 2019-09-29 12:21 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 09:47:49 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0813 0 normal SHIPPED_LIVE Moderate: openssl security update 2007-10-22 10:40:30 UTC
Red Hat Product Errata RHSA-2007:0964 0 normal SHIPPED_LIVE Important: openssl security update 2007-10-12 14:22:50 UTC
Red Hat Product Errata RHSA-2007:1003 0 normal SHIPPED_LIVE Moderate: openssl security and bug fix update 2007-11-15 14:58:46 UTC

Description Mark J. Cox 2007-09-27 19:39:40 UTC
In 2006, Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers() utility function. An
attacker could send a list of ciphers to an application that used this
function and overrun a buffer (CVE-2006-3738). Few applications make use
of this vulnerable function and generally it is used only when applications
are compiled for debugging.

Moritz Jodeit found that a single byte (nul) overflow was still possible:
http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded

Things that use SSL_get_shared_ciphers():

        openssl: s_server usage
        ckermit: uses function
        mysql-4.1.10a: in a debugging #ifdef
        exim: only if debugging

Comment 4 Mark J. Cox 2007-10-16 16:40:52 UTC
Note that this issue is only of moderate security severity.  Few applications
make use of this vulnerable function and generally it is used only when
applications are compiled for debugging.  In addition this single-byte overflow
is not likely to be exploitable which is why the OpenSSL team did not do an
immediate fix for this issue.

We fixed this issue in Red Hat Enterprise Linux 5 in early Oct 2007 because we
had to issue an update to fix a higher severity issue that only affected the
RHEL5 OpenSSL.

An update to fix this issue is in progress for RHEL2.1 and RHEL3 and will be
released when completed (depending on it passing Quality Engineering and the
queue of higher severity issues)

An update to fix this issue for RHEL4 will be issued after RHEL4.6 is released.


Comment 6 Mark J. Cox 2007-10-22 10:48:32 UTC
The update to correct this issue for RHEL2.1,3,5 have been released.  An update
to correct this issue for RHEL4 will be made available after the release of
update 6 (4.6)


Note You need to log in before you can comment on or make changes to this bug.