Bug 476671 - (CVE-2008-5077) CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Michal Marciniszyn
reported=20081216,public=20090107,imp...
: Security
Depends On: 476676 476677 476678 476679 476680 476681 476682 476683 476684 476685 476686 476687 476688 482112 530522 673086 813718 1127896
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-16 10:15 EST by Mark J. Cox (Product Security)
Modified: 2014-08-07 15:00 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-21 03:25:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (5.37 KB, patch)
2008-12-16 10:17 EST, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2008-12-16 10:15:56 EST
Draft advisory from OpenSSL team:

OpenSSL Security Advisory [07-Jan-2009]

Incorrect checks for malformed signatures
-------------------------------------------

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

The OpenSSL security team would like to thank the Google Security Team
for reporting this issue.

Who is affected?
-----------------

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
------------------------------------

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source. Please note: this patch also includes fixes for a
few other cases where return codes are not correctly checked, but
these do not have a security implication

Recommendations for projects using OpenSSL
------------------------------------------

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
-----------------------

Any SSL/TLS server with clients that OpenSSL to verify DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or should stop using
DSA/ECDSA certificates. Note that unless certificates are revoked
(and clients check for revocation) impersonation will still be
possible until the certificate expires.
Comment 1 Mark J. Cox (Product Security) 2008-12-16 10:17:00 EST
Created attachment 327115 [details]
proposed patch
Comment 8 Mark J. Cox (Product Security) 2009-01-07 07:58:46 EST
now public, removing embargo
http://openssl.org/news/secadv_20090107.txt
Comment 9 Fedora Update System 2009-01-07 12:47:54 EST
openssl-0.9.8g-9.12.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-9.12.fc9
Comment 10 Fedora Update System 2009-01-07 12:49:40 EST
openssl-0.9.8g-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-12.fc10
Comment 11 Fedora Update System 2009-01-07 23:19:08 EST
openssl-0.9.8g-9.12.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-01-07 23:19:42 EST
openssl-0.9.8g-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Tomas Hoger 2009-01-09 02:38:49 EST
oCERT advisory:
  http://www.ocert.org/advisories/ocert-2008-016.html
Comment 14 Richard W.M. Jones 2009-01-11 18:12:41 EST
Is it planned to rebuild this in Rawhide?  I notice that F-10 contains the
fix but Rawhide does not.
Comment 15 Tomas Mraz 2009-01-12 02:29:29 EST
I'm currently working on upgrade of openssl in rawhide to the latest released upstream version which already contains the fix. It will take some time though as we will need a special build target for rebuild of the dependent packages.

Note You need to log in before you can comment on or make changes to this bug.