Notified via NISCC on Sep12, NISCC 006489 CAN-2003-0543 OpenSSL 0.96/0.97 ASN.1 int overflow CAN-2003-0544 OpenSSL 0.96/0.97 ASN.1 read one character NISCC found two bugs in OpenSSL 0.9.6 which can be triggered by sending a carefully crafted SSL client certificate containing an unusual ASN.1 tag value, such a certificate, could cause an application using OpenSSL to terminate unexpectedly. RHSA-2003:293 in progress Embargoed until November 4th 2003.
Actually this is embargoed until September 30th not November 4th (my mistake). A better description of the issues: NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. The effects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue. [CAN-2003-0543 is the fix that prevents the tag from overflowing an int. CAN-2003-0544 is the fix that decrements the number of characters which can be read when the final long form octet is read. Without this it can read one character past end of buffer whenever the long form is used.] NISCC testing of implementations of the SSL protocol uncovered an additional bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. It may be possible for an attacker to exploit this issue to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0545 to this issue. This will be RHSA-2003:293
The errata http://rhn.redhat.com/errata/RHSA-2003-293.html was released shortly after 1200UTC on 30th September. Making this bug public.
More details from the CERT VU#935264, OpenSSL "secadv_20030930.txt" upstream advisory (http://www.kb.cert.org/vuls/id/935264, http://www.openssl.org/news/secadv_20030930.txt) advisory for the CAN/CVE-2003-0545 issue: <cite> 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. </cite> The CAN-2003-0545 (currently known as CVE-2003-0545) issue does NOT affect the versions of the openssl096 package, as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.