Bug 476671 (CVE-2008-5077) - CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
Summary: CVE-2008-5077 OpenSSL Incorrect checks for malformed signatures
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-5077
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Michal Marciniszyn
URL:
Whiteboard:
Depends On: 476676 476677 476678 476679 476680 476681 476682 476683 476684 476685 476686 476687 476688 482112 530522 673086 813718 1127896
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-16 15:15 UTC by Mark J. Cox
Modified: 2019-09-29 12:28 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-21 07:25:25 UTC
Embargoed:


Attachments (Terms of Use)
proposed patch (5.37 KB, patch)
2008-12-16 15:17 UTC, Mark J. Cox
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0004 0 normal SHIPPED_LIVE Important: openssl security update 2009-01-07 13:27:19 UTC

Description Mark J. Cox 2008-12-16 15:15:56 UTC
Draft advisory from OpenSSL team:

OpenSSL Security Advisory [07-Jan-2009]

Incorrect checks for malformed signatures
-------------------------------------------

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

The OpenSSL security team would like to thank the Google Security Team
for reporting this issue.

Who is affected?
-----------------

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
------------------------------------

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source. Please note: this patch also includes fixes for a
few other cases where return codes are not correctly checked, but
these do not have a security implication

Recommendations for projects using OpenSSL
------------------------------------------

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
-----------------------

Any SSL/TLS server with clients that OpenSSL to verify DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or should stop using
DSA/ECDSA certificates. Note that unless certificates are revoked
(and clients check for revocation) impersonation will still be
possible until the certificate expires.

Comment 1 Mark J. Cox 2008-12-16 15:17:00 UTC
Created attachment 327115 [details]
proposed patch

Comment 8 Mark J. Cox 2009-01-07 12:58:46 UTC
now public, removing embargo
http://openssl.org/news/secadv_20090107.txt

Comment 9 Fedora Update System 2009-01-07 17:47:54 UTC
openssl-0.9.8g-9.12.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-9.12.fc9

Comment 10 Fedora Update System 2009-01-07 17:49:40 UTC
openssl-0.9.8g-12.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/openssl-0.9.8g-12.fc10

Comment 11 Fedora Update System 2009-01-08 04:19:08 UTC
openssl-0.9.8g-9.12.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2009-01-08 04:19:42 UTC
openssl-0.9.8g-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Tomas Hoger 2009-01-09 07:38:49 UTC
oCERT advisory:
  http://www.ocert.org/advisories/ocert-2008-016.html

Comment 14 Richard W.M. Jones 2009-01-11 23:12:41 UTC
Is it planned to rebuild this in Rawhide?  I notice that F-10 contains the
fix but Rawhide does not.

Comment 15 Tomas Mraz 2009-01-12 07:29:29 UTC
I'm currently working on upgrade of openssl in rawhide to the latest released upstream version which already contains the fix. It will take some time though as we will need a special build target for rebuild of the dependent packages.


Note You need to log in before you can comment on or make changes to this bug.