Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#40251 - [openssl] CVE-2014-0198 - apply security patch

Attached to Project: Arch Linux
Opened by Sapalot (superfranky) - Tuesday, 06 May 2014, 21:55 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:51 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No


Description: An attacker can trigger generation of an SSL alert which could cause a null pointer dereference.

'The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.'

Spotted and fixed by the OpenBSD guys with the following patch:
Patches are identical and just here for reference.

Affected Openssl versions: 1.0.0 up to 1.0.1g.

Since waiting for upstream to react isn't pro-active,
please apply the patch as soon as possible.
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Thursday, 05 June 2014, 15:51 GMT
Reason for closing:  Upstream
Comment by Sapalot (superfranky) - Friday, 09 May 2014, 11:48 GMT
Severity of this is Medium, nevertheless better be safe than sorry.

I uploaded the changes for the PKGBUILD to apply both OpenBSD patches for CVE-2014-0198 and CVE-2010-5298 (which has been reported here:

+ switched from md5sums to sha1sums
Comment by Sapalot (superfranky) - Thursday, 05 June 2014, 13:29 GMT
This is now fixed and included in the official openssl-1.0.1h version.

Official OpenSSL Security Advisory states:

----------- 8< snip >8 -------------

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference. This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public. The fix was developed by
Matt Caswell of the OpenSSL development team.

----------- 8< snip >8 -------------

For any future security fixes in regard to openssl,
I ask here very politely that you consider applying patches
rather sooner and not waiting over a month.