Bug 1047840 (CVE-2013-6450) - CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
Summary: CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20131219,repo...
Depends On: 1047843 1047844 1047845 1047846 1047847 1048277 1048278
Blocks: 1045440
TreeView+ depends on / blocked
 
Reported: 2014-01-02 11:10 UTC by Ratul Gupta
Modified: 2019-06-08 19:50 UTC (History)
18 users (show)

Fixed In Version: openssl 1.0.1f, openssl 1.0.0l
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-31 15:06:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0015 normal SHIPPED_LIVE Important: openssl security update 2014-01-08 23:16:14 UTC

Description Ratul Gupta 2014-01-02 11:10:32 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6450 to the following vulnerability:

The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

Upstream commit:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896

Comment 3 Ratul Gupta 2014-01-02 11:15:41 UTC
Created mingw32-openssl tracking bugs for this issue:

Affects: epel-5 [bug 1047845]

Comment 4 Ratul Gupta 2014-01-02 11:15:45 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1047843]

Comment 5 Ratul Gupta 2014-01-02 11:15:49 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1047844]

Comment 6 Ratul Gupta 2014-01-02 11:39:03 UTC
Upstream bug link:
http://rt.openssl.org/Ticket/Display.html?id=3199&user=guest&pass=guest

Comment 7 Mark J. Cox 2014-01-03 13:38:51 UTC
OpenSSL 0.9.8 is not affected.

Comment 13 Tomas Hoger 2014-01-08 14:03:13 UTC
DTLS protocol support is not available in openssl packages in Red Hat Enterprise Linux 4 and earlier.  Red Hat Enterprise Linux 5 uses openssl 0.9.8, which is not affected (see comment 7).

Statement:

This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.

Comment 14 errata-xmlrpc 2014-01-08 18:19:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0015 https://rhn.redhat.com/errata/RHSA-2014-0015.html

Comment 15 Tomas Hoger 2014-01-08 20:51:31 UTC
(In reply to Mark J. Cox (Security Engineering) from comment #7)
> OpenSSL 0.9.8 is not affected.

More details in post from upstream developer:

http://www.mail-archive.com/openssl-dev@openssl.org/msg33547.html

Comment 17 Fedora Update System 2014-01-10 07:45:27 UTC
openssl-1.0.1e-37.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2014-01-10 07:58:36 UTC
openssl-1.0.1e-37.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2014-01-12 05:06:30 UTC
openssl-1.0.1e-37.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Vincent Danen 2014-01-31 15:06:20 UTC
SUSE was reporting [1] some crashes with a patched openssl, so I wanted to clarify here that they were missing part of the required fix.

In addition to the upstream commit noted in comment #0:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896

Upstream also indicated [2] that this patch was required:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a6c62f0

We have this patch in our openssl-1.0.1e-cve-2013-6450.patch which was applied to Red Hat Enterprise Linux 6's fix, as noted above.

So the problems that SUSE was describing would not affect Red Hat Enterprise Linux 6.

[1] https://bugzilla.novell.com/show_bug.cgi?id=861384
[2] http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3214#txn-38658


Note You need to log in before you can comment on or make changes to this bug.