Bug 569774 (CVE-2010-0433) - CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check
Summary: CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() re...
Status: CLOSED ERRATA
Alias: CVE-2010-0433
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,source=researcher,rep...
Keywords: Security
Depends On: 560680 560681 567711 573653 573658 1127896
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-02 11:23 UTC by Tomas Hoger
Modified: 2019-06-08 12:56 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-12-14 10:04:44 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0162 normal SHIPPED_LIVE Important: openssl security update 2010-03-25 08:52:22 UTC

Description Tomas Hoger 2010-03-02 11:23:32 UTC
Todd Rinaldo brought to our attention (bug #567711) a flaw in OpenSSL that can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello.

This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL's kssl_keytab_is_available() (ssl/kssl.c).  This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail).  If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal.  With certain krb5 versions, this leads to a NULL pointer dereference crash.

Comment 2 Tomas Hoger 2010-03-03 20:05:03 UTC
Upstream fix:
  http://cvs.openssl.org/chngview?cn=19374

Comment 5 Fedora Update System 2010-03-23 07:27:29 UTC
openssl-0.9.8m-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8m-1.fc11

Comment 6 errata-xmlrpc 2010-03-25 08:52:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0162 https://rhn.redhat.com/errata/RHSA-2010-0162.html

Comment 7 Fedora Update System 2010-03-25 12:53:09 UTC
openssl-0.9.8n-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/openssl-0.9.8n-1.fc11

Comment 8 Fedora Update System 2010-03-30 10:44:08 UTC
openssl-1.0.0-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc13

Comment 9 Fedora Update System 2010-03-30 12:27:15 UTC
openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-1.fc12

Comment 10 Tomas Hoger 2010-04-01 15:58:43 UTC
krb5_sname_to_principal() return value check is missing in OpenSSL versions in Red Hat Enterprise Linux 3 and 4 too.  However, as noted in comment #0, NULL principal does not cause a crash in krb5_kt_get_entry() in all MIT krb5 versions.  In RHEL-3 and RHEL-4 krb5 library version, krb5_kt_get_entry() returns error without crashing.

Comment 11 Fedora Update System 2010-04-09 03:42:39 UTC
openssl-1.0.0-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-04-16 23:49:43 UTC
openssl-0.9.8n-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-18 16:53:57 UTC
openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/openssl-1.0.0-4.fc12

Comment 14 Fedora Update System 2010-05-25 18:41:33 UTC
openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Tomas Hoger 2018-01-17 15:35:22 UTC
(In reply to Tomas Hoger from comment #2)
> Upstream fix:
>   http://cvs.openssl.org/chngview?cn=19374

This is no longer working, the working link is:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=cca1cd9a3447dd067503e4a85ebd1679ee78a48e


Note You need to log in before you can comment on or make changes to this bug.