Bug 1202395 (CVE-2015-0292) - CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
Summary: CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0292
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1196738 1203070 1203071 1203082 1203083 1203855 1203856 1205026 1205494 1205495 1207507
Blocks: 1202442 1205499
TreeView+ depends on / blocked
 
Reported: 2015-03-16 14:26 UTC by Martin Prpič
Modified: 2021-02-17 05:31 UTC (History)
42 users (show)

Fixed In Version: openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za
Doc Type: Bug Fix
Doc Text:
An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input (such as a PEM file) could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:39:50 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0715 0 normal SHIPPED_LIVE Moderate: openssl security update 2015-03-24 00:50:48 UTC
Red Hat Product Errata RHSA-2015:0716 0 normal SHIPPED_LIVE Moderate: openssl security and bug fix update 2015-03-24 03:04:24 UTC
Red Hat Product Errata RHSA-2015:0752 0 normal SHIPPED_LIVE Moderate: openssl security update 2015-03-30 11:58:28 UTC
Red Hat Product Errata RHSA-2015:0800 0 normal SHIPPED_LIVE Moderate: openssl security update 2015-04-13 15:54:05 UTC

Description Martin Prpič 2015-03-16 14:26:59 UTC 
A vulnerability existed in previous versions of OpenSSL related to the processing of base64-encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. This was addressed in previous versions of OpenSSL but has not been included in any security advisory until now.

This issue affects OpenSSL versions 1.0.1, 1.0.0, and 0.9.8. This issue is fixed in versions: 1.0.1h, 1.0.0m, and 0.9.8za.

Acknowledgements:

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Robert Dugal and David Ramos as the original reporters.
Comment 1 Tomas Hoger 2015-03-16 20:56:00 UTC 
Upstream bug report:
https://rt.openssl.org/Ticket/Display.html?id=2608&user=guest&pass=guest

Upstream commits:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0666f2 (1.0.1)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=84fe686 (1.0.0)
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9febee0 (0.9.8)
Comment 3 Tomas Hoger 2015-03-17 22:51:56 UTC 
There is an integer underflow issue, which can result in the decoded bytes counter to have negative value (in the range of -1 to -16).  That value is subsequently used as memcpy() size argument, leading to attempt to copy close to SIZE_MAX bytes.  Hence program crashes before memcpy() completes.  However, memcpy() target buffer is overflown, so this has some code execution impact risk for e.g. multi-threaded programs.
Comment 7 Martin Prpič 2015-03-19 14:35:00 UTC 
External References:

https://openssl.org/news/secadv_20150319.txt
https://access.redhat.com/articles/1384453
Comment 8 Tomas Hoger 2015-03-19 19:05:30 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1196738]
Comment 9 Tomas Hoger 2015-03-19 19:05:34 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1203855]
Affects: epel-7 [bug 1203856]
Comment 10 Fedora Update System 2015-03-22 04:40:11 UTC 
openssl-1.0.1k-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-03-22 04:40:49 UTC 
openssl-1.0.1k-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-03-23 07:18:13 UTC 
openssl-1.0.1e-42.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-03-23 20:51:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0715 https://rhn.redhat.com/errata/RHSA-2015-0715.html
Comment 15 errata-xmlrpc 2015-03-23 23:04:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0716 https://rhn.redhat.com/errata/RHSA-2015-0716.html
Comment 18 errata-xmlrpc 2015-03-30 07:58:47 UTC 
This issue has been addressed in the following products:

  Red Hat Storage 2.1

Via RHSA-2015:0752 https://rhn.redhat.com/errata/RHSA-2015-0752.html
Comment 20 errata-xmlrpc 2015-04-13 11:54:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0800 https://rhn.redhat.com/errata/RHSA-2015-0800.html
Note You need to log in before you can comment on or make changes to this bug.