FS#40251 : [openssl] CVE-2014-0198 - apply security patch

FS#40251 - [openssl] CVE-2014-0198 - apply security patch

Attached to Project: Arch Linux
Opened by Sapalot (superfranky) - Tuesday, 06 May 2014, 21:55 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 05 June 2014, 15:51 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	9 csmk (csmk) (2014-06-05) Pablo Lezaeta (Jristz) (2014-06-01) Claire Farron (clfarron4) (2014-05-14) Christian Hesse (eworm) (2014-05-13) Naszar (naszar) (2014-05-13) Thomas Ludwig (adventurer) (2014-05-13) Mihail Ivanov (x0r) (2014-05-08) wes (Nisstyre56) (2014-05-06) Sapalot (superfranky) (2014-05-06)
Private	No

Details

Description: An attacker can trigger generation of an SSL alert which could cause a null pointer dereference.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198

'The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.'

Spotted and fixed by the OpenBSD guys with the following patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/009_openssl.patch
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
Patches are identical and just here for reference.

Affected Openssl versions: 1.0.0 up to 1.0.1g.

Since waiting for upstream to react isn't pro-active,
please apply the patch as soon as possible.

This task depends upon

Closed by Pierre Schmitz (Pierre)
Thursday, 05 June 2014, 15:51 GMT
Reason for closing: Upstream

Comment by Sapalot (superfranky) - Friday, 09 May 2014, 11:48 GMT

Severity of this is Medium, nevertheless better be safe than sorry.

I uploaded the changes for the PKGBUILD to apply both OpenBSD patches for CVE-2014-0198 and CVE-2010-5298 (which has been reported here: https://bugs.archlinux.org/task/39832).

+ switched from md5sums to sha1sums

changes.patch (1.5 KiB)

Comment by Sapalot (superfranky) - Thursday, 05 June 2014, 13:29 GMT

This is now fixed and included in the official openssl-1.0.1h version.

Official OpenSSL Security Advisory states:

----------- 8< snip >8 -------------

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference. This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public. The fix was developed by
Matt Caswell of the OpenSSL development team.

----------- 8< snip >8 -------------

For any future security fixes in regard to openssl,
I ask here very politely that you consider applying patches
rather sooner and not waiting over a month.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40251 - [openssl] CVE-2014-0198 - apply security patch

Details

Loading...