Security-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2009-012: SHA2 implementation potential buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2009-012
=================================
Topic: SHA2 implementation potential buffer overflow
Version: NetBSD-current: affected prior to 2009-05-26
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
Severity: Denial of Service
Fixed: NetBSD-current: May 26, 2009
NetBSD-5-0 branch: Jul 11, 2009
NetBSD-5 branch: Jul 11, 2009
NetBSD-4-0 branch: Jul 22, 2009
NetBSD-4 branch: Jul 22, 2009
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An error initializing a SHA2 context causes vulnerable applications using
libcrypto to suffer from a 4- or 8-byte buffer overflow (for SHA256 and
SHA512 correspondingly) with fixed content, potentially causing
applications to crash.
Technical Details
=================
A program using the SHA2 implementation from sys/sha2.h in NetBSD and
linking against libcrypto is vulnerable to a 4- or 8-byte buffer
overflow (for SHA256 and SHA512 correspondingly) with fixed content.
The overflow occurs at the time the hash init function is called (e.g.
SHA256_Init). The init functions then pass the wrong size for the
context as an argument to the memset function which then overwrites
4 bytes of the memory buffer located after the one holding the context.
In the NetBSD base system, this affects the libssh library as well as
the pkg_install framework. In libssh, the overflow occurs on the heap
of the program using it, in pkg_install a stack overflow occurs.
Solutions and Workarounds
=========================
A workaround for this issue for programs in the NetBSD base system
is to disable SHA256 as a HMAC for the secure shell and to avoid
using the audit facility as well as signed packages.
To determine whether or not a package is signed, run the command
% tar tzf package.tgz
on the package. If the first file of the package is +PKG_HASH,
then the package is signed.
The following instructions describe how to upgrade your libcrypto
and libc binaries by updating your source tree and rebuilding and
installing a new version of the three facilities.
* NetBSD-current:
Systems running NetBSD-current dated from before 2009-05-26
should be upgraded to NetBSD-current dated 2009-05-27 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys
To update from CVS, re-build, and re-install lorem:
# cd src
# cvs update -d -P common/lib/libc/hash/sha2
# cvs update -d -P distrib/sets/lists
# cvs update -d -P lib/libc
# cvs update -d -P lib/libcrypto
# cvs update -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*:
Systems running NetBSD 5.* sources dated from before
2009-07-11 should be upgraded from NetBSD 5.* sources dated
2009-07-12 or later.
The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys
To update from CVS, re-build, and re-install libc and libcrypto:
# cd src
# cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
# cvs update -r <branch_name> -d -P distrib/sets/lists
# cvs update -r <branch_name> -d -P lib/libc
# cvs update -r <branch_name> -d -P lib/libcrypto
# cvs update -r <branch_name> -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2009-07-22 should be upgraded from NetBSD 4.* sources dated
2009-07-23 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sys
To update from CVS, re-build, and re-install libc and libcrypto:
# cd src
# cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
# cvs update -r <branch_name> -d -P distrib/sets/lists
# cvs update -r <branch_name> -d -P lib/libc
# cvs update -r <branch_name> -d -P lib/libcrypto
# cvs update -r <branch_name> -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Joerg Sonnenberger for finding, reporting and fixing the issue.
Revision History
================
2009-07-28 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-012.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2009-012.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQIcBAEBAgAGBQJKb0ijAAoJEAZJc6xMSnBuBEEP+wa1ybcKmHkq16evmfBdGIpM
9Z7fVSvx5fDHMvUDGKL5tST/CIoRU379yiBIj/VS0tlUV9TLo1TPdrLO9XON0ara
CaIP3DK766+hjya0PwuVuy8yVhUQ6Dz2rKTBjSpmz38qv8RfvR4G6iwF3W6YNvNu
pF3vjEJIbQdT6Fen3pzb4D9aiQ6SvEZdknGGR2HmebY2ig4un+bsIJc3x+Iv87Iw
qpuJ6KQSnfLxx5qFVO5Sax8SNdL3VmQQcFhVgO3tg/ddcFUVwngXS2Wg9ChczQWt
7wM7OVwXOL1Vr0s2NcRlsIppHXvKRQxu54CuEQM6gsPcleJhsBVFo9/AbeSw4SAx
rLiR/jQ6vsC9/28ZpKGQkrtnf5fxP2R7uQIN2nylCiB+s5UDmAHAYTt1tSTMt4ou
+xgCX0OnE9iB68FoJYq1YjHMc3n4GclJz3lijXsRBzgGaSHZJc3ywYtO6puS8yUI
mXKWPdGthCDVXWiKUOBZYcuS4dv7RoA+VhI3Q1P/kwFQ9xXqb9XWSQYmLycxleA8
BjjSEuIlw5tdAnufDJA8ZRXl4gP0qhrKfPtyYkLUj6pezcyPU1QD61yK0euMr3sq
lO97lYhYqtc2gMJaOgVYoHUqbsemuRNEOdHMBeqIoC8MYYH5La6Tuub26Dwz7eDV
Mxw6htX0zEm1S/1ld7ne
=GZuc
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index