Bug 37960 - openssl: Denial of service (4.0)
openssl: Denial of service (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-1-errata
Assigned To: Moritz Muehlenhoff
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-06 12:57 CET by Moritz Muehlenhoff
Modified: 2015-03-25 18:27 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-03-06 12:57:46 CET
NULL pointer dereference in X509 parsing (CVE-2015-0288)
NULL pointer derererence in elliptic curves (CVE-2015-0209)
Comment 1 Arvid Requate univentionstaff 2015-03-18 10:24:54 CET
Handshake with unseeded PRNG (CVE-2015-0285)
Comment 2 Arvid Requate univentionstaff 2015-03-18 12:36:44 CET
Cherrypicked from errata4.0-0 (==ucs4.0-1) to errata4.0-1

CVE-2015-0285 does not apply to 1.0.1e, introduced later via upstream git commit 173e72e64c6a07ae97660c322396b66215009f33 (Mon Mar 11 15:34:28 2013)

Advisory: 2015-03-18-openssl.yaml
Comment 3 Philipp Hahn univentionstaff 2015-03-18 18:01:44 CET
OK: aptitude install '?source-package(openssl)?installed' # amd64 i386
OK: dpkg-query -W openssl # 1.0.1e-2.88.201503181219
OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem
OK: openssl s_client -host www.univention.de -port 443 <<<'GET /'
OK: r14492 patch
OK: r59166 YAML
OK: errata-announce -V 2015-03-18-openssl.yaml
FIXED: 2015-03-18-openssl.yaml -> r59187
Comment 4 Arvid Requate univentionstaff 2015-03-19 16:36:25 CET
Additional issues:

Denial of service during certificate signature algorithm verification in ASN1_TYPE_cmp function (CVE-2015-0286)

Memory corruption in ASN.1 parsing. Only affects applications with rarely found strongly discouraged ASN.1 parsing flaw (CVE-2015-0287)

Denial of service due to NULL pointer dereference in the PKCS#7 parsing code. Quote: "Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected." (CVE-2015-0289)

Memory corruption due to missing input sanitising in base64 decoding. Could be exploited by maliciously crafted base64 data. Quote: "Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). (CVE-2015-0292)
Comment 5 Arvid Requate univentionstaff 2015-03-20 10:25:50 CET
Updated upstream wheezy package imported and built in errata4.0-1.
Advisory is updated.
Comment 6 Philipp Hahn univentionstaff 2015-03-20 15:25:38 CET
(In reply to Philipp Hahn from comment #3)
OK: apt-cache policy openssl # 1.0.1e-2.92.201503200950
OK: aptitude install '?source-package(openssl)?installed' # amd64 i386
OK: zless /usr/share/doc/openssl/changelog.Debian.gz
OK: CVE-2015-0292 CVE-2015-0289 CVE-2015-0287 CVE-2015-0286 CVE-2015-0209 CVE-2015-0288
OK: diff -urN openssl-1.0.1e openssl-1.0.1e.fixed
OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem
OK: openssl s_client -host www.univention.de -port 443 <<<'GET /'
OK: univention-certificate new -name test.qa.intranet
OK: univention-certificate renew -name test.qa.intranet -days 3560
OK: univention-certificate revoke -name test.qa.intranet
OK: errata-announce -V 2015-03-18-openssl.yaml
OK: 2015-03-18-openssl.yaml
Comment 7 Moritz Muehlenhoff univentionstaff 2015-03-25 09:24:54 CET
There's been a regression update in Debian, we should incorporate that update:
https://lists.debian.org/debian-security-announce/2015/msg00090.html
Comment 8 Moritz Muehlenhoff univentionstaff 2015-03-25 09:27:04 CET
(In reply to Moritz Muehlenhoff from comment #7)
> There's been a regression update in Debian, we should incorporate that
> update:
> https://lists.debian.org/debian-security-announce/2015/msg00090.html

The version in 3.2 is ok, the faulty patch isn't present there.
Comment 9 Moritz Muehlenhoff univentionstaff 2015-03-25 10:28:29 CET
The update package has been built. YAML also updated.
Comment 10 Philipp Hahn univentionstaff 2015-03-25 10:39:34 CET
OK: r59369
OK: apt-cache policy openssl # 1.0.1e-2.99.201503250939
OK: aptitude install '?source-package(openssl)?installed' # amd64 i386
OK: zless /usr/share/doc/openssl/changelog.Debian.gz # 1.0.1e-2+deb7u16
OK: openssl x509 -noout -text -in /etc/univention/ssl/ucsCA/CAcert.pem
OK: openssl s_client -host www.univention.de -port 443 <<<'GET /'
OK: univention-certificate new -name test.qa.intranet
OK: univention-certificate renew -name test.qa.intranet -days 3560
OK: univention-certificate revoke -name test.qa.intranet
OK: echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64
OK: errata-announce -V 2015-03-18-openssl.yaml
OK: 2015-03-18-openssl.yaml
Comment 11 Janek Walkenhorst univentionstaff 2015-03-25 18:27:48 CET
<http://errata.univention.de/ucs/4.0/142.html>