openssl: OpenSSL does not check for a NULL return value from bn_wexpand function calls

Debian Bug report logs - #575433
openssl: OpenSSL does not check for a NULL return value from bn_wexpand function calls

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "A. Maitland Bottoms" <bottoms@debian.org>

To: "Debian Bug Tracking System" <submit@bugs.debian.org>

Subject: openssl: OpenSSL does not check for a NULL return value from bn_wexpand function calls

Date: Thu, 25 Mar 2010 14:45:41 -0400

[Message part 1 (text/plain, inline)]

Package: openssl
Version: 0.9.8g-15+lenny6
Tags: lenny,security,patch

This bug report is based upon CVE-2009-3245
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which 
has unspecified impact and context-dependent attack vectors.

http://security-tracker.debian.org/tracker/CVE-2009-3245

While the security-tracker includes a "Minor issue" comment in the notes, the CVE
states "NVD severity	   high (attack range: remote)" so perhaps there should
be a security update for the version in Debian stable.

The upstream fixes are available, visible from
http://cvs.openssl.org/chngview?cn=19309

and that changeset applies cleanly to the .c files in the stable
Debian 0.9.8g-15+lenny6 source. And is attached to this message.

[openssl_patchset_19309.diff (text/plain, inline)]

Index: openssl/CHANGES
RCS File: /v/openssl/cvs/openssl/CHANGES,v
rcsdiff -q -kk '-r1.1238.2.188' '-r1.1238.2.189' -u '/v/openssl/cvs/openssl/CHANGES,v' 2>/dev/null
--- CHANGES	2010/02/19 18:25:37	1.1238.2.188
+++ CHANGES	2010/02/23 10:36:39	1.1238.2.189
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
 
+  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
+     [Martin Olsson, Neel Mehta]
+
   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
      accommodate for stack sorting, always a write lock!).
      [Bodo Moeller]
Index: openssl/crypto/bn/bn_div.c
RCS File: /v/openssl/cvs/openssl/crypto/bn/bn_div.c,v
rcsdiff -q -kk '-r1.37.2.8' '-r1.37.2.9' -u '/v/openssl/cvs/openssl/crypto/bn/bn_div.c,v' 2>/dev/null
--- bn_div.c	2009/06/17 11:26:39	1.37.2.8
+++ bn_div.c	2010/02/23 10:36:41	1.37.2.9
@@ -102,7 +102,7 @@
 	/* The next 2 are needed so we can do a dv->d[0]|=1 later
 	 * since BN_lshift1 will only work once there is a value :-) */
 	BN_zero(dv);
-	bn_wexpand(dv,1);
+	if(bn_wexpand(dv,1) == NULL) goto end;
 	dv->top=1;
 
 	if (!BN_lshift(D,D,nm-nd)) goto end;
Index: openssl/crypto/bn/bn_gf2m.c
RCS File: /v/openssl/cvs/openssl/crypto/bn/bn_gf2m.c,v
rcsdiff -q -kk '-r1.18.2.2' '-r1.18.2.3' -u '/v/openssl/cvs/openssl/crypto/bn/bn_gf2m.c,v' 2>/dev/null
--- bn_gf2m.c	2008/06/23 20:46:28	1.18.2.2
+++ bn_gf2m.c	2010/02/23 10:36:41	1.18.2.3
@@ -294,7 +294,8 @@
 	if (a->top < b->top) { at = b; bt = a; }
 	else { at = a; bt = b; }
 
-	bn_wexpand(r, at->top);
+	if(bn_wexpand(r, at->top) == NULL)
+		return 0;
 
 	for (i = 0; i < bt->top; i++)
 		{
Index: openssl/crypto/ec/ec2_smpl.c
RCS File: /v/openssl/cvs/openssl/crypto/ec/ec2_smpl.c,v
rcsdiff -q -kk '-r1.14.2.1' '-r1.14.2.2' -u '/v/openssl/cvs/openssl/crypto/ec/ec2_smpl.c,v' 2>/dev/null
--- ec2_smpl.c	2006/03/13 23:12:07	1.14.2.1
+++ ec2_smpl.c	2010/02/23 10:36:41	1.14.2.2
@@ -174,8 +174,10 @@
 	dest->poly[2] = src->poly[2];
 	dest->poly[3] = src->poly[3];
 	dest->poly[4] = src->poly[4];
-	bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
-	bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+		return 0;
+	if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+		return 0;
 	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
 	for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
 	return 1;
@@ -199,12 +201,12 @@
 
 	/* group->a */
 	if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
-	bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
 	for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
 	
 	/* group->b */
 	if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
-	bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
 	for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
 		
 	ret = 1;
Index: openssl/engines/e_ubsec.c
RCS File: /v/openssl/cvs/openssl/engines/e_ubsec.c,v
rcsdiff -q -kk '-r1.13.2.3' '-r1.13.2.4' -u '/v/openssl/cvs/openssl/engines/e_ubsec.c,v' 2>/dev/null
--- e_ubsec.c	2007/09/06 12:43:53	1.13.2.3
+++ e_ubsec.c	2010/02/23 10:36:41	1.13.2.4
@@ -934,7 +934,7 @@
                 priv_key = BN_new();
                 if (priv_key == NULL) goto err;
                 priv_key_len = BN_num_bits(dh->p);
-                bn_wexpand(priv_key, dh->p->top);
+                if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
                 do
                         if (!BN_rand_range(priv_key, dh->p)) goto err;
                 while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@
                 {
                 pub_key = BN_new();
                 pub_key_len = BN_num_bits(dh->p);
-                bn_wexpand(pub_key, dh->p->top);
+                if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
                 if(pub_key == NULL) goto err;
                 }
         else

Message #10 received at 575433@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: "A. Maitland Bottoms" <bottoms@debian.org>, 575433@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#575433: openssl: OpenSSL does not check for a NULL return value from bn_wexpand function calls

Date: Wed, 7 Apr 2010 00:45:31 +0200

On Thu, Mar 25, 2010 at 02:45:41PM -0400, A. Maitland Bottoms wrote:
> Package: openssl
> Version: 0.9.8g-15+lenny6
> Tags: lenny,security,patch
> 
> This bug report is based upon CVE-2009-3245
> OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which 
> has unspecified impact and context-dependent attack vectors.
> 
> http://security-tracker.debian.org/tracker/CVE-2009-3245
> 
> While the security-tracker includes a "Minor issue" comment in the notes, the CVE
> states "NVD severity	   high (attack range: remote)" so perhaps there should
> be a security update for the version in Debian stable.

The security team didn't seem to agree on the severity.

Looking at the code, I only see those cases returning an error:
        if (words > (INT_MAX/(4*BN_BITS2)))
                {
                BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
                return NULL;
                }
        if (BN_get_flags(b,BN_FLG_STATIC_DATA))
                {
                BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
                return(NULL);
                }
        a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words);
        if (A == NULL)
                {
                BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
                return(NULL);
                }

So the most likely cause is malloc failing.  And I think if
you can can trigger that, more things will go wrong.

Anyway, I should probably fix this in a point release.


Kurt

Message #15 received at 575433@bugs.debian.org (full text, mbox, reply):

From: "Jan Schulz-Hofen | ROCKET RENTALS" <jan@rocket-rentals.de>

To: 575433@bugs.debian.org

Subject: This is needed to pass PCI Compliance Checks

Date: Thu, 3 Jun 2010 15:29:42 +0200

I came across this due to a recent PCI compliance check I did using
Comodo's HackerGuardian. I believe they use some nessus-based security
scanner which detects possible vulnerabilities by (among other things)
looking at banners and version numbers. Usually, I can point Comodo's
support staff to the CVE page on security-tracker.debian.org and if
it's marked as fixed in lenny, they agree to set the issue as false
positive for me. In this case, I cannot point them to
http://security-tracker.debian.org/tracker/CVE-2009-3245 because it's
still marked as vulnerable.

No matter the actual severity of this, I'd assume a number of people
need to have PCI compliance scans performed (you have to do that at
least quarterly to be able to accept and store credit card data), and
they are pretty standard, so I guess a fix in stable would benefit a
larger audience. I'd be willing to help, but I have never
build/patched/submitted a Debian package before :(

Message #22 received at 575433-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 575433-close@bugs.debian.org

Subject: Bug#575433: fixed in openssl 0.9.8g-15+lenny7

Date: Tue, 08 Jun 2010 19:52:43 +0000

Source: openssl
Source-Version: 0.9.8g-15+lenny7

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8g-15+lenny7_amd64.udeb
  to main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny7_amd64.udeb
libssl-dev_0.9.8g-15+lenny7_amd64.deb
  to main/o/openssl/libssl-dev_0.9.8g-15+lenny7_amd64.deb
libssl0.9.8-dbg_0.9.8g-15+lenny7_amd64.deb
  to main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny7_amd64.deb
libssl0.9.8_0.9.8g-15+lenny7_amd64.deb
  to main/o/openssl/libssl0.9.8_0.9.8g-15+lenny7_amd64.deb
openssl_0.9.8g-15+lenny7.diff.gz
  to main/o/openssl/openssl_0.9.8g-15+lenny7.diff.gz
openssl_0.9.8g-15+lenny7.dsc
  to main/o/openssl/openssl_0.9.8g-15+lenny7.dsc
openssl_0.9.8g-15+lenny7_amd64.deb
  to main/o/openssl/openssl_0.9.8g-15+lenny7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Jun 2010 20:30:01 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-15+lenny7
Distribution: stable-security
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 575433
Changes: 
 openssl (0.9.8g-15+lenny7) stable-security; urgency=low
 .
   * Check return type of bn_wexpand().  Fixes CVE-2009-3245
     (Closes: #575433)
Checksums-Sha1: 
 4f5b216ee00dcd67d7a2f27369ebf5e7419d041b 1973 openssl_0.9.8g-15+lenny7.dsc
 9478a88efaca7461e506e8c2fc3963f7bfd38ca5 60059 openssl_0.9.8g-15+lenny7.diff.gz
 e66d46c42b130f532dada2cc1b0c820f5aebfbab 1043234 openssl_0.9.8g-15+lenny7_amd64.deb
 7fd4450299bd965986ffe7c59a3922620538b06e 975828 libssl0.9.8_0.9.8g-15+lenny7_amd64.deb
 119541aa94a84a907a6af87571db518dc3389fde 638416 libcrypto0.9.8-udeb_0.9.8g-15+lenny7_amd64.udeb
 3ecc3b73bfcd124798159c632d276aec8851de77 2243042 libssl-dev_0.9.8g-15+lenny7_amd64.deb
 dbfc1c1aec8d734354bd73bd1fde8ae1fee230d4 1627806 libssl0.9.8-dbg_0.9.8g-15+lenny7_amd64.deb
Checksums-Sha256: 
 d36566a01b36d554d4a798404adc5c2ec6bc9a45c7088cbc1ba9e2fa5f535c56 1973 openssl_0.9.8g-15+lenny7.dsc
 637186d9a8d50196c2afe460944ecfc3e87af202db2e21a92f1a950731b18f60 60059 openssl_0.9.8g-15+lenny7.diff.gz
 727918d21a335356654e5a2db3408a1b7f8fd98b84f11e82df382457f7be7129 1043234 openssl_0.9.8g-15+lenny7_amd64.deb
 fdcd08ec5554fba10aaa23cf59d632a83f0e9c0edbd64d5bb39c7c5af39d37fa 975828 libssl0.9.8_0.9.8g-15+lenny7_amd64.deb
 7259ca3b414181c2626c58eb5d0fb045e94a179ff92938bd8d5170adb95a37eb 638416 libcrypto0.9.8-udeb_0.9.8g-15+lenny7_amd64.udeb
 39500973e9a2c94d336432cd644ad52f2d776508397c7049f17812e2aa781757 2243042 libssl-dev_0.9.8g-15+lenny7_amd64.deb
 017dff7d2e695d21487356f59526ba40e0f7385d7434cf880ab7b43e7e7496ab 1627806 libssl0.9.8-dbg_0.9.8g-15+lenny7_amd64.deb
Files: 
 3a01fda475d201be06b6e6fda6fa0c04 1973 utils optional openssl_0.9.8g-15+lenny7.dsc
 f41577974ba83091b5348a4a2ad57ded 60059 utils optional openssl_0.9.8g-15+lenny7.diff.gz
 3598a915836a76f0ad01976f02b96b1d 1043234 utils optional openssl_0.9.8g-15+lenny7_amd64.deb
 bc0088cdd1d68811e8094a1a951d9b8e 975828 libs important libssl0.9.8_0.9.8g-15+lenny7_amd64.deb
 f0d8a903cadfe8a3050e3c988074ab72 638416 debian-installer optional libcrypto0.9.8-udeb_0.9.8g-15+lenny7_amd64.udeb
 0b8c96ea9636f04396d2361597bf146d 2243042 libdevel optional libssl-dev_0.9.8g-15+lenny7_amd64.deb
 61353d2ca6f62fabe6ea01ef3f6da0dc 1627806 libdevel extra libssl0.9.8-dbg_0.9.8g-15+lenny7_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMDUtvAAoJEGpMZM6DE7XwAqIQAIsK7maxsdtleyuo1gtVe6bg
NTCJidExE2rrNyWKminyMrOmF3/PrBhdV8978MjpRV1qAnz9NyZr8cG/IHql6kcy
m2UqFGRuTd59A9rZF28WFxVfd4+PfM1pTl6/BK8oEzF6IQwBK7etoTmoG1MXXSB5
rVg9UWPUyt+QIYPAS6mxMzXDvMcFnydxYEOv2pAPQSAiKdAHg3O+d27sMik2EFsI
z+kxTxCfJyHaqJvh5od2xub1/pIluL1UPdp/MAE+n8wd6cam53tfVJNhYI0Rlbnu
Z0ol20QT91bHHqtyG9hH6zKZMt05/ZX5FfFqTjlPaiCEYmwniqyOENOmxXwND5Kc
yoZRuW68K8LeohNpIzNyG/xngnLnC1SCZD5A7MF4lFQjnSEMrFAEdVg8ZlPskOqK
sFXC/RZCQNe8Tq5xpRU47FPkl9B1wsVBWDurV2R2kXug34/DOH++KkMM97oCzGIl
SjNEqa9yuUhxPNQcTyboG+B0lRSqkWYflO3CGp05j2no/1Ne+MQWX7UcLYWMiGMV
IYcoQZutQ4EFnp4YUerG/OIUlKyC7OKB+6K1l4Txz7BcbAk0RSM9VkztAAPg+x8A
RrJGfe2iiekM5QSPwJampTZOyqb+kxosKvN4dzjgxWuc+/196Id4LCe4XlvUKHDU
r+1TNyOxI9Km72pGjE96
=rCIV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.