Bug 45750 - openssl: multiple issues (4.2)
openssl: multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks: 45751
  Show dependency treegraph
 
Reported: 2017-11-20 15:06 CET by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-11-20 15:06:28 CET
The following issues have been reported as fixed in 1.0.2m:

* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)


We currently ship 1.0.2k which used to be in jesse-backports. Currently jessie-backports offers 1.0.2l, so cherrypicking patches would be required.
Comment 1 Philipp Hahn univentionstaff 2018-01-26 22:35:58 CET
1.0.2n <https://www.openssl.org/news/secadv/20171207.txt>

Read/write after SSL object in error state (CVE-2017-3737) 
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

r17997 | Bug #45750: openssl

Package: openssl
Version: 1.0.2n-0A~4.2.0.201801262211
Branch: ucs_4.2-0
Scope: errata4.2-3

e419302f36 Bug #45750: openssl
Comment 2 Quality Assurance univentionstaff 2018-05-04 16:58:16 CEST
--- mirror/ftp/4.2/unmaintained/4.2-1/source/openssl_1.0.2k-1~bpo8+1A~4.2.0.201706081143.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/openssl_1.0.2n-0A~4.2.0.201801262211.dsc
@@ -1,6 +1,20 @@
-1.0.2k-1~bpo8+1A~4.2.0.201706081143 [Thu, 08 Jun 2017 11:43:01 +0200] Univention builddaemon <buildd@univention.de>:
+1.0.2n-0A~4.2.0.201801262211 [Fri, 26 Jan 2018 22:11:49 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+1.0.2n-0 [Fri, 26 Jan 2018 21:37:59 +0100] Philipp Hahn <hahn@univention.de>:
+
+  * New upstream release
+    - Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
+    - bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
+    - Read/write after SSL object in error state (CVE-2017-3737)
+    - rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
+
+1.0.2l-1~bpo8+1 [Wed, 21 Jun 2017 21:42:47 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * New upstream release
+    - Properly detect features on the AMD Ryzen processor (Closes: #861145)
+  * Refresh valgrind.patch
 
 1.0.2k-1~bpo8+1 [Fri, 27 Jan 2017 22:22:13 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Comment 3 Arvid Requate univentionstaff 2018-05-08 11:09:55 CEST
* No UCS specific patches since errata4.2-0
* Comparison to previously and next shipped version ok
* Binary package update Ok
* Advisory adjusted:
  8c771c62cf | Adjust wording
Comment 4 Arvid Requate univentionstaff 2018-05-08 11:36:37 CEST
Why don't we use the 1.0.2l-2deb9u3 patches from stretch?

https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l-2deb9u3
Comment 5 Philipp Hahn univentionstaff 2018-05-08 12:01:00 CEST
(In reply to Arvid Requate from comment #4)
> Why don't we use the 1.0.2l-2deb9u3 patches from stretch?
> 
> https://tracker.debian.org/media/packages/o/openssl1.0/changelog-1.0.2l-
> 2deb9u3

1. UCS-4.2 is based on Debian-8, so the deb9 package does not work out-of-the-box and requires backporting the patches. OpenSSL has a history of backported patches going wrong.
2. According to <http://xen1.knut.univention.de:8000/packages/source/openssl/?since=4.2-0> we already had version "1.0.2k-1~bpo8+1" from "bpo", so the version from Jessie "1.0.1t-1+deb8u8" is older. There was newer "bpo" version fixing the mentioned CVEs, so I imported 'n' myself.
3. 'n' was the latest version back in January, "o" is current from 2018-03-27, 'p' is pending.

So currently we're missing <https://www.openssl.org/news/secadv/20180327.txt>:
- Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
Comment 6 Arvid Requate univentionstaff 2018-05-08 14:56:38 CEST
<http://errata.software-univention.de/ucs/4.2/387.html>