569774 – (CVE-2010-0433) CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check

Bug 569774 (CVE-2010-0433) - CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check

Summary: CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() re...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0433
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	560680 560681 567711 573653 573658 1127896
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-02 11:23 UTC by Tomas Hoger
Modified:	2019-09-29 12:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-12-14 10:04:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0162	0	normal	SHIPPED_LIVE	Important: openssl security update	2010-03-25 08:52:22 UTC

Description Tomas Hoger 2010-03-02 11:23:32 UTC

Todd Rinaldo brought to our attention (bug #567711) a flaw in OpenSSL that can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello.

This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL's kssl_keytab_is_available() (ssl/kssl.c).  This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail).  If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal.  With certain krb5 versions, this leads to a NULL pointer dereference crash.

Comment 2 Tomas Hoger 2010-03-03 20:05:03 UTC

Upstream fix:
  http://cvs.openssl.org/chngview?cn=19374

Comment 5 Fedora Update System 2010-03-23 07:27:29 UTC

openssl-0.9.8m-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8m-1.fc11

Comment 6 errata-xmlrpc 2010-03-25 08:52:45 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0162 https://rhn.redhat.com/errata/RHSA-2010-0162.html

Comment 7 Fedora Update System 2010-03-25 12:53:09 UTC

openssl-0.9.8n-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8n-1.fc11

Comment 8 Fedora Update System 2010-03-30 10:44:08 UTC

openssl-1.0.0-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc13

Comment 9 Fedora Update System 2010-03-30 12:27:15 UTC

openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc12

Comment 10 Tomas Hoger 2010-04-01 15:58:43 UTC

krb5_sname_to_principal() return value check is missing in OpenSSL versions in Red Hat Enterprise Linux 3 and 4 too.  However, as noted in comment #0, NULL principal does not cause a crash in krb5_kt_get_entry() in all MIT krb5 versions.  In RHEL-3 and RHEL-4 krb5 library version, krb5_kt_get_entry() returns error without crashing.

Comment 11 Fedora Update System 2010-04-09 03:42:39 UTC

openssl-1.0.0-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-04-16 23:49:43 UTC

openssl-0.9.8n-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-18 16:53:57 UTC

openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12

Comment 14 Fedora Update System 2010-05-25 18:41:33 UTC

openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Tomas Hoger 2018-01-17 15:35:22 UTC

(In reply to Tomas Hoger from comment #2)
> Upstream fix:
>   http://cvs.openssl.org/chngview?cn=19374

This is no longer working, the working link is:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=cca1cd9a3447dd067503e4a85ebd1679ee78a48e

Note You need to log in before you can comment on or make changes to this bug.