Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

polarssl: CVE-2013-4623: Denial of Service through Certificate message during handshake

Related Vulnerabilities: CVE-2013-4623   CVE-2013-5914   CVE-2013-5915   CVE-2009-3555  

Source

Debian Bug report logs - #719954
polarssl: CVE-2013-4623: Denial of Service through Certificate message during handshake

version graph

Package: polarssl; Maintainer for polarssl is Roland Stigge <stigge@antcom.de>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Sat, 17 Aug 2013 07:42:01 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in version 1.1.4-2

Fixed in versions 1.2.9-1~deb7u1, 1.2.8-1, 1.2.9-1~deb6u1, polarssl/1.3.1-1

Done: Roland Stigge <stigge@antcom.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#719954; Package polarssl. (Sat, 17 Aug 2013 07:42:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>. (Sat, 17 Aug 2013 07:42:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: polarssl: CVE-2013-4623: Denial of Service through Certificate message during handshake
Date: Sat, 17 Aug 2013 10:26:17 +0300
[Message part 1 (text/plain, inline)]
Package: polarssl
Version: 1.1.4-2
Severity: important
Tags: security, fixed-upstream, patch

Denial of Service through Certificate message during handshake vulnerability has
been fixed in version 1.1.7. Source in unstable (sid) with version 1.2.8-2
contains the fix.

Original advisory:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03
Upstream commit:
https://github.com/polarssl/polarssl/commit/1922a4e6aade7b1d685af19d4d9339ddb5c02859

Patch:

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 87151c9..296925f 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -425,6 +425,18 @@ extern "C" {

 /** \ingroup x509_module */
 /**
+ * \brief          Parse a single DER formatted certificate and add it
+ *                 to the chained list.
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the certificate DER data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen );
+
+/**
  * \brief          Parse one or more certificates and add them
  *                 to the chained list. Parses permissively. If some
  *                 certificates can be parsed, the result is the number
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9087ab4..e0cddf8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2375,8 +2375,8 @@ int ssl_parse_certificate( ssl_context *ssl )
             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
         }

-        ret = x509parse_crt( ssl->session_negotiate->peer_cert, ssl->in_msg + i,
-                             n );
+        ret = x509parse_crt_der( ssl->session_negotiate->peer_cert,
+                                 ssl->in_msg + i, n );
         if( ret != 0 )
         {
             SSL_DEBUG_RET( 1, " x509parse_crt", ret );

[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions polarssl/1.2.8-2. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sat, 17 Aug 2013 07:51:13 GMT) (full text, mbox, link).

Marked as fixed in versions polarssl/1.2.8-1. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sat, 17 Aug 2013 07:57:04 GMT) (full text, mbox, link).

Reply sent to Roland Stigge <stigge@antcom.de>:
You have taken responsibility. (Wed, 16 Oct 2013 18:36:08 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 16 Oct 2013 18:36:08 GMT) (full text, mbox, link).

Message #14 received at 719954-close@bugs.debian.org (full text, mbox, reply):

From: Roland Stigge <stigge@antcom.de>
To: 719954-close@bugs.debian.org
Subject: Bug#719954: fixed in polarssl 1.3.1-1
Date: Wed, 16 Oct 2013 18:33:30 +0000
Source: polarssl
Source-Version: 1.3.1-1

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Oct 2013 19:35:28 +0200
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description: 
 libpolarssl-dev - lightweight crypto and SSL/TLS library
 libpolarssl-runtime - lightweight crypto and SSL/TLS library
 libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 704946 719954 725359
Changes: 
 polarssl (1.3.1-1) unstable; urgency=low
 .
   * New upstream release
     - Fixes CVE-2013-5914, CVE-2013-5915 (Closes: #725359)
     - Fixes CVE-2013-4623 (Closes: #719954)
     - Fixes CVE-2009-3555 (Closes: #704946)
Checksums-Sha1: 
 de2187b3d0370bbdf8b6eea60850fb3fbfd5ab53 1171 polarssl_1.3.1-1.dsc
 b33856a1b2f736b18a49a20d48986bce6b3133f5 1168560 polarssl_1.3.1.orig.tar.gz
 9aa4f132057bc008426e650284881badbb4924ed 4927 polarssl_1.3.1-1.debian.tar.gz
 9c63a2079fe259eb88dabe51df226fde42a44f05 267458 libpolarssl-dev_1.3.1-1_amd64.deb
 c345d43d17ca6d63425d00767be4c1277280320b 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
 a5155b37794c3da5589479e440f5d150bf58c5c1 186632 libpolarssl0_1.3.1-1_amd64.deb
Checksums-Sha256: 
 82d230e9a478f5937248ac424dbdb224f9a85dd1a7c08e87549f7914c388ae01 1171 polarssl_1.3.1-1.dsc
 b60d59c24d3744e5c16121054bfdac5615bffb19974ee7e0c1964eeb481612b3 1168560 polarssl_1.3.1.orig.tar.gz
 be270e7598d9b5cb1524dc537fde827eaf36af596c597bce152a86ed89309c73 4927 polarssl_1.3.1-1.debian.tar.gz
 3f8b686fbb4b84489e89f85bfcaebc5859088fe5f8d01619ea49a7590214a1a6 267458 libpolarssl-dev_1.3.1-1_amd64.deb
 99bb97dd912ec9606d6831a39c2eab2b2382ee232b9a39e24321c8a39704492c 541390 libpolarssl-runtime_1.3.1-1_amd64.deb
 57c06b9b7ef745a4e420c4011a7afc98a0e227fcc308c8700b7d6397f8ed4025 186632 libpolarssl0_1.3.1-1_amd64.deb
Files: 
 b29348e8a443697d30475c5b3dccb724 1171 libs optional polarssl_1.3.1-1.dsc
 e6ee020496f315254f178c672132218d 1168560 libs optional polarssl_1.3.1.orig.tar.gz
 9280bcb07daca67654fccbd7ba1f2a9c 4927 libs optional polarssl_1.3.1-1.debian.tar.gz
 e56cbd4d27edd297a545c27670c33af0 267458 libdevel optional libpolarssl-dev_1.3.1-1_amd64.deb
 bb43c000391b429247497f62e73553e5 541390 libdevel optional libpolarssl-runtime_1.3.1-1_amd64.deb
 953871b049c87240e3b243b9fd1a3dba 186632 libs optional libpolarssl0_1.3.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFSXtSdcaH/YBv43g8RAvsGAKDLGExAeO5qhYz1oAeWAzVCBF36IwCgtfUj
+YRFfegGoFFZc07jGB81844=
=yoTU
-----END PGP SIGNATURE-----

Marked as found in versions 1.2.8-2; no longer marked as fixed in versions polarssl/1.2.8-2. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 02:27:05 GMT) (full text, mbox, link).

Marked as fixed in versions 1.2.9-1~deb7u1. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 02:27:06 GMT) (full text, mbox, link).

No longer marked as fixed in versions polarssl/1.2.8-1. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 02:39:04 GMT) (full text, mbox, link).

Marked as fixed in versions 1.2.9-1~deb6u1. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Fri, 25 Oct 2013 02:39:05 GMT) (full text, mbox, link).

No longer marked as found in versions 1.2.8-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 25 Oct 2013 04:00:10 GMT) (full text, mbox, link).

Marked as fixed in versions 1.2.8-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 25 Oct 2013 04:00:10 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Nov 2013 07:37:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:25:16 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started