openssl: CVE-2009-0590 denial of service

Debian Bug report logs - #522002
openssl: CVE-2009-0590 denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: openssl: CVE-2009-0590 denial of service

Date: Tue, 31 Mar 2009 00:03:42 -0400

Package: openssl
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.

CVE-2009-0590[0]:
  The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
  remote attackers to cause a denial of service (invalid memory access
  and application crash) via vectors that trigger printing of a (1)
  BMPString or (2) UniversalString with an invalid encoded length.

This was just fixed in ubuntu [1].  Please coordinate with the
security team to release fixes for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
    http://security-tracker.debian.net/tracker/CVE-2009-0590
[1] http://www.ubuntu.com/usn/usn-750-1

Message #10 received at 522002@bugs.debian.org (full text, mbox, reply):

From: Jon Daley <debian@jon.limedaley.com>

To: 522002@bugs.debian.org

Subject: debian not vulnerable?

Date: Wed, 1 Apr 2009 05:54:51 -0400 (EDT)

From my reading of this advisory, Debian builds aren't vulnerable, as it 
only affects 0.9.8h and higher?  (additionally, with a non-default setting 
turned on)

http://secunia.com/advisories/34411



-- 
Jon Daley
http://jon.limedaley.com
~~
He who laughs last is generally the last to get the joke.
-- Terry Cohen

Message #15 received at 522002@bugs.debian.org (full text, mbox, reply):

From: Jon Daley <jon@limedaley.com>

To: 522002@bugs.debian.org

Subject: Re: debian not vulnerable?

Date: Wed, 1 Apr 2009 05:56:05 -0400 (EDT)

Ah sorry, I read it again more carefully - the secunia advisory is 
reporting multiple vulnerabilities, and we are vulnerable to the ASN one.

On Wed, 1 Apr 2009, Jon Daley wrote:

> From my reading of this advisory, Debian builds aren't vulnerable, as it only 
> affects 0.9.8h and higher?  (additionally, with a non-default setting turned 
> on)
>
> http://secunia.com/advisories/34411
>
>
>
>

-- 
Jon Daley
http://jon.limedaley.com
~~
If you're really afraid of some bad outcome, that's what you're going
to get.  If you behave as if you trust somebody, you're more likely to
get trust back.
-- Charles Green, founder of Trusted Advisor Associates

Message #20 received at 522002@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 522002@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>

Cc: submit@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#522002: openssl: CVE-2009-0590 denial of service

Date: Wed, 1 Apr 2009 19:14:06 +0200

[Message part 1 (text/plain, inline)]

On Tue, Mar 31, 2009 at 12:03:42AM -0400, Michael S. Gilbert wrote:
> Package: openssl
> Severity: important
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
> 
> CVE-2009-0590[0]:
>   The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
>   remote attackers to cause a denial of service (invalid memory access
>   and application crash) via vectors that trigger printing of a (1)
>   BMPString or (2) UniversalString with an invalid encoded length.
> 
> This was just fixed in ubuntu [1].  Please coordinate with the
> security team to release fixes for the stable releases.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
>     http://security-tracker.debian.net/tracker/CVE-2009-0590
> [1] http://www.ubuntu.com/usn/usn-750-1

I've attached the patch from upstream CVS.


Kurt

[CVE-2009-0590.diff (text/x-diff, attachment)]

Message #25 received at 522002@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 522002@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#522002: openssl: CVE-2009-0590 denial of service

Date: Wed, 1 Apr 2009 22:38:26 +0200

On Wed, Apr 01, 2009 at 07:14:06PM +0200, Kurt Roeckx wrote:
> On Tue, Mar 31, 2009 at 12:03:42AM -0400, Michael S. Gilbert wrote:
> > Package: openssl
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for openssl.
> > 
> > CVE-2009-0590[0]:
> >   The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
> >   remote attackers to cause a denial of service (invalid memory access
> >   and application crash) via vectors that trigger printing of a (1)
> >   BMPString or (2) UniversalString with an invalid encoded length.

Hi,

I've put up packages for oldstable and stable at:
http://people.debian.org/~kroeckx/openssl/CVE-2009-0590/

I'll also upload version 0.9.8g-16 to unstable shortly.


Kurt

Message #30 received at 522002-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 522002-close@bugs.debian.org

Subject: Bug#522002: fixed in openssl 0.9.8g-16

Date: Wed, 01 Apr 2009 21:04:09 +0000

Source: openssl
Source-Version: 0.9.8g-16

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
libssl-dev_0.9.8g-16_amd64.deb
  to pool/main/o/openssl/libssl-dev_0.9.8g-16_amd64.deb
libssl0.9.8-dbg_0.9.8g-16_amd64.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-16_amd64.deb
libssl0.9.8_0.9.8g-16_amd64.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8g-16_amd64.deb
openssl_0.9.8g-16.dsc
  to pool/main/o/openssl/openssl_0.9.8g-16.dsc
openssl_0.9.8g-16.tar.gz
  to pool/main/o/openssl/openssl_0.9.8g-16.tar.gz
openssl_0.9.8g-16_amd64.deb
  to pool/main/o/openssl/openssl_0.9.8g-16_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 522002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Apr 2009 22:04:53 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-16
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 522002
Changes: 
 openssl (0.9.8g-16) unstable; urgency=high
 .
   * Properly validate the length of an encoded BMPString and UniversalString
     (CVE-2009-0590)  (Closes: #522002)
Checksums-Sha1: 
 8c78bc63c276f2ec38360c1cb8417fa289294f9a 1060 openssl_0.9.8g-16.dsc
 3e18fdd229f7e3deef8848a7805b188330015351 3495823 openssl_0.9.8g-16.tar.gz
 aa76b2fbf2e87dc1e12283d5b4bf17b39ac5c043 1040180 openssl_0.9.8g-16_amd64.deb
 bbda241085daa165ca97da70993c55487462700a 974098 libssl0.9.8_0.9.8g-16_amd64.deb
 73835d33550378d6e34f142ebce1f70a4d2e269b 638074 libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
 7a7e11e9274d4944b0761674a223d8292bd4df9e 2241328 libssl-dev_0.9.8g-16_amd64.deb
 ad4df2106cb9e4a489bef53bfc94c70620695f16 1627132 libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Checksums-Sha256: 
 d8a0bd5876cbf462a6caaab175af8f47f5a5e08c2fdfcb2223c4df3ac7ceebfb 1060 openssl_0.9.8g-16.dsc
 100ef3ddf64a31ab4c1a7598fd2b5c6c1ee16e7df7da193e116c600bb4831f34 3495823 openssl_0.9.8g-16.tar.gz
 2d3ca07a9131451bb5ab238f18972f4245bc3396cb4eaba9cc52c6d70d29215f 1040180 openssl_0.9.8g-16_amd64.deb
 da36b2417df9145a2d7cd342d62ee03d082a3029430ba0c8ff58a092e0e7d689 974098 libssl0.9.8_0.9.8g-16_amd64.deb
 e703c76dfa89e213bc507af0205f735161be9fa075d0fad4efa5cedcf0f17a95 638074 libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
 d788fc024969611ecbb3c4ccc8638cdebd9be3c64c7b6e8387bcd57faafeaffe 2241328 libssl-dev_0.9.8g-16_amd64.deb
 09e2210a2796d016170dabdf98e5af33232734e6a4b8f71f0a4d7bb4ebc1162f 1627132 libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Files: 
 588bd900315a89c46b397ef677b2d9bf 1060 utils optional openssl_0.9.8g-16.dsc
 5d2abe50e7cb7d8c23c1ae6096e03e80 3495823 utils optional openssl_0.9.8g-16.tar.gz
 ef888cdd080b96039e027c89848e5532 1040180 utils optional openssl_0.9.8g-16_amd64.deb
 747e247079368518b12ec94a2c40976b 974098 libs important libssl0.9.8_0.9.8g-16_amd64.deb
 ecdcd1912ca417b545470e64d2e89bf5 638074 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-16_amd64.udeb
 76f060a819faa04da4a0d7a834ae857d 2241328 libdevel optional libssl-dev_0.9.8g-16_amd64.deb
 0bdfabd8f256f4c323cb3ea97262560e 1627132 libdevel extra libssl0.9.8-dbg_0.9.8g-16_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknT0tkACgkQQdwckHJElwuB/ACcDd9I7NrH7WbeX81SnND1XdXQ
IXEAoJ8r19BuhGel6e6/zDCiQhMpGcRo
=SYSQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.