Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2010-011: OpenSSL Double Free Arbitrary Code Execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-011
=================================
Topic: OpenSSL Double Free Arbitrary Code Execution
Version: NetBSD-current: source prior to August 11, 2010
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to 0.9.8onb1
Severity: Denial of Service and potential arbitrary code execution
Fixed: NetBSD-current: August 12, 2010
NetBSD-5-0 branch: September 8, 2010
NetBSD-5 branch: September 8, 2010
NetBSD-4-0 branch: October 13, 2010
NetBSD-4 branch: October 13, 2010
pkgsrc 2010Q3: openssl-0.9.8onb1 corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Client programs using the openssl library to open and process SSLv3 and TLSv1
connections may crash or execute arbitrary code if the server provides a
specially crafted SSL key that can inject arbitrary code.
This vulnerability has been assigned CVE-2010-2939.
Technical Details
=================
A failure to set the pointer to a freed buffer to NULL in the
ssl3_get_key_exchange() function in the OpenSSL client (ssl/s3_clnt.c)
when using ECDH, results in a double free which in turn allows
context-dependent attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted private key with
an invalid prime.
Solutions and Workarounds
=========================
- - Patch, recompile, and reinstall libssl.
CVS branch file revision
------------- ---------------- --------
HEAD src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c 1.2
CVS branch file revision
------------- ---------------- --------
netbsd-5-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.1.2.1
netbsd-5 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.2
netbsd-4-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.1.2.2
netbsd-4 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.3
The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)
To update from CVS, re-build, and re-install libc and sftp:
* NetBSD-current:
# cd src
# cvs update -d -P -r BRANCH crypto/external/bsd/openssl/dist/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssl/lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*/4.*:
# cd src
# cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
For more information on building (oriented towards rebuilding the
entire system, however) see:
http://www.netbsd.org/guide/en/chap-build.html
Thanks To
=========
Thanks to Georgi Guninski for discovering the problem and Mounir
IDRASSI for providing the fix. Thanks also to Matthias Drochner
for providing the necessary patches for NetBSD HEAD and netbsd-5
as well as information on the impact of the vulnerability, and
Christos Zoulas for providing the patch to netbsd-4.
Revision History
================
2010-10-28 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-011.txt,v 1.1 2010/10/27 21:41:46 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJMyJ8dAAoJEAZJc6xMSnBuX+AQAM4AsQlkFXUusYpbU0j9Hcc4
+s4wGSHRrlF02xydKRWdryLEIb3p9yOz9GkMVXDokUDGuarKyfY7yJt6LNWWNRYh
qR80CLQ7Mi+2XotZLMcDBldcS2ZOm09ZWH1JLzYDGZEJMNhyNdfI+Tg1EtIABoqF
F6jWn3eM2Vdn9q52GgiCz+Uo8DSEJxglppc5yR2q9UMtJCnQdPA4Ccc/2uKtyvEv
2d8MYXiSc7aYkvs5uw0iOY4Kqrhm77Bpi50jb5xm7Zcf9ANA/s3EpY+VkDQIOoaU
7kTm7o/fUlxMbb2PDD2xDLHY43Ecjc1bC4DlnQW87GsbBddB5Wh5gn/jjT2+XYxg
xkhP400O04YgM8MrxGEflJH+nAY/wZZkmkQSoxqW0JXr9rNH8ZqeKXR7BeCzOw2Z
6Yxh9f3xLApdbl1k70eYMM4dH6QlmRFIV82KJhgCCeBqKcPqFVBiBwfQkBtM7mEt
frpetXsrXATPS5nJTcOchHhL+muBFEnY7Ek0998X0Hxm0mL5q/NsdyV3+USUwL6n
8p63d8gA+nWk0AX7TqB0iRyQhiMqne00o3SeeVMa8w+5sXqC9pVXg80qXZQa5WR5
1od7Cf3F+daKwZ/xHYuaTclWNtFTxjARg5MJ9561QHBQpe5TTwweNBcYwdPRLBDm
hCi3yQ36ozvzS+xUy4Bc
=Ur1p
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index