Bug 798100 - (CVE-2006-7248, CVE-2006-7250) CVE-2006-7250 openssl: mime_hdr_cmp NULL dereference crash
CVE-2006-7250 openssl: mime_hdr_cmp NULL dereference crash
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20060829,repor...
: Reopened, Security
Depends On:
Blocks: 802502
  Show dependency treegraph
 
Reported: 2012-02-27 22:10 EST by Kurt Seifried
Modified: 2016-03-04 06:16 EST (History)
1 user (show)

See Also:
Fixed In Version: openssl 0.9.8u, openssl 1.0.0h
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-28 03:16:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
openssl PR: 2711 Tolerate bad MIME headers in parser (596 bytes, patch)
2012-02-28 18:04 EST, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2012-02-27 22:10:21 EST
"openssl smime -verify -in" verifies the signature of the input file and
the "-verify" switch expects a signed or encrypted input file. Previously,
running openssl on an S/MIME file that was not encrypted or signed caused
openssl to segfault. With this update, the input file is now checked for a
signature or encryption. Consequently, openssl now returns an error and
quits when attempting to verify an unencrypted or unsigned S/MIME file.

This was fixed in RHSA-2009:1335:
  http://rhn.redhat.com/errata/RHSA-2009-1335.html
Comment 2 Kurt Seifried 2012-02-28 18:04:36 EST
Created attachment 566411 [details]
openssl PR: 2711 Tolerate bad MIME headers in parser

Patch is from RHEL-6 OpenSSL source RPM
Comment 4 Tomas Hoger 2012-02-29 04:34:25 EST
This problem was previously reported via (private) bug #472440 and addressed as non-security bug fix in Red Hat Enterprise Linux 5 packages in 2009 via RHSA-2009:1335:
  http://rhn.redhat.com/errata/RHSA-2009-1335.html

This patch was also included in openssl and openssl098e packages in Red Hat Enterprise Linux 6 since the initial release.  It's also included in current Fedora packages.  Patch is names as openssl-*-bad-mime.patch

Later in 2012, it was discovered that the fix was previously not pushed upstream and that was done via:
  http://marc.info/?l=openssl-dev&m=132886769402643&w=2
  http://rt.openssl.org/Ticket/Display.html?id=2711&user=guest&pass=guest

and applied upstream in:
  http://cvs.openssl.org/chngview?cn=22147 (cvs head)
  and cn 22144, 22145, 22146 for commits to 0.9.8, 1.0.0 and 1.0.1 branches

There was some confusion around CVE assignment due to a use of the CVE in unrelated bug report:
  http://thread.gmane.org/gmane.comp.security.oss.general/7012
  http://thread.gmane.org/gmane.comp.security.oss.general/7005/focus=7035

CVE-2006-7248 was previously used for this issue.

Statement:

This issue was corrected in Red Hat Enterprise Linux 5 via RHSA-2009:1335. It did not affect openssl packages shipped with Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.