Date: Sat, 28 Mar 2009 17:41:18 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/133156: [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325 Message-ID: <20090328144118.C6DB217126@amnesiac.at.no.dns> Resent-Message-ID: <200903281450.n2SEo2mP086316@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 133156 >Category: ports >Synopsis: [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Mar 28 14:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-PRERELEASE amd64 >Description: Multiple vulnerabilities were fixed in OpenSSL 0.9.8k: 1) An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate. 2) The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks. NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default). Successful exploitation requires access to a previously generated invalid signature. 3) An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate. NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void *" (e.g. WIN64). Please, note that the OpenSSL in the base system is likely vulnerable to these issues too. But since I am not sure now, I am not mentioning this in the VuXML entry. >How-To-Repeat: http://secunia.com/advisories/34411/ http://www.openssl.org/news/secadv_20090325.txt >Fix: The following patch updates the port to 0.9.8k. It passes 'make validate' and works for my daily operations. --- update-to-0.9.8k.diff begins here --- >From c77146d7d0faf0f5226133f75ecf6249e6e81b31 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 28 Mar 2009 17:27:19 +0300 patch-enc_min.c was removed, because the issue was fixed in the vendor version. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/openssl/Makefile | 3 +-- security/openssl/distinfo | 6 +++--- security/openssl/files/patch-enc_min.c | 11 ----------- 3 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 security/openssl/files/patch-enc_min.c diff --git a/security/openssl/Makefile b/security/openssl/Makefile index d283f91..639974b 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -6,8 +6,7 @@ # PORTNAME= openssl -PORTVERSION= 0.9.8j -PORTREVISION= 1 +PORTVERSION= 0.9.8k CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \ ftp://ftp.openssl.org/%SUBDIR%/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 625d8f0..7e1cd3e 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -MD5 (openssl-0.9.8j.tar.gz) = a5cb5f6c3d11affb387ecf7a997cac0c -SHA256 (openssl-0.9.8j.tar.gz) = 7131242042dbd631fbd83436f42aea1775e7c32f587fa4ada5a01df4c3ae8e8b -SIZE (openssl-0.9.8j.tar.gz) = 3738359 +MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3 +SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101 +SIZE (openssl-0.9.8k.tar.gz) = 3852259 diff --git a/security/openssl/files/patch-enc_min.c b/security/openssl/files/patch-enc_min.c deleted file mode 100644 index 7d4af5a..0000000 --- a/security/openssl/files/patch-enc_min.c +++ /dev/null @@ -1,11 +0,0 @@ ---- crypto/evp/enc_min.c.orig 2008-12-02 19:14:44.000000000 +0100 -+++ crypto/evp/enc_min.c 2009-01-09 18:20:35.000000000 +0100 -@@ -199,7 +199,7 @@ - enc = 1; - ctx->encrypt = enc; - } --#ifdef OPENSSL_NO_FIPS -+#ifndef OPENSSL_NO_FIPS - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); -- 1.6.1.3 --- update-to-0.9.8k.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="31c51f51-1ba3-11de-8775-001b77d09812"> <topic>OpenSSL -- multiple vulnerabilities</topic> <affects> <package> <name>openssl</name> <range><lt>0.9.8k</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/34411/"> <p>Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).</p> <ol> <li> An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate.</li> <li> The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks. <em>NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default).</em> Successful exploitation requires access to a previously generated invalid signature.</li> <li> An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate. <em>NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void*" (e.g. WIN64).</em> </li> </ol> </blockquote> </body> </description> <references> <cvename>CVE-2009-0590</cvename> <cvename>CVE-2009-0591</cvename> <cvename>CVE-2009-0789</cvename> <bid>34256</bid> <url>http://secunia.com/advisories/34411/</url> <url>http://www.openssl.org/news/secadv_20090325.txt</url> </references> <dates> <discovery>2009-03-25</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090328144118.C6DB217126>