ports/133156: [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Mar 28 14:50:03 UTC 2009
>Number: 133156
>Category: ports
>Synopsis: [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 28 14:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.2-PRERELEASE amd64
>Description:
Multiple vulnerabilities were fixed in OpenSSL 0.9.8k:
1) An error exists in the "ASN1_STRING_print_ex()" function when
printing "BMPString" or "UniversalString" strings. This can be exploited
to trigger an access to invalid memory and cause a crash via an illegal
encoded string length when e.g. printing the contents of a certificate.
2) The "CMS_verify()" function incorrectly handles an error condition
when processing malformed signed attributes. This can be exploited to
trick an application into considering a malformed set of signed
attributes valid and skip further checks.
NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later
with CMS enabled (disabled by default).
Successful exploitation requires access to a previously generated
invalid signature.
3) An error when processing malformed ASN1 structures can be exploited
to trigger an access to invalid memory and cause a crash via a specially
crafted certificate.
NOTE: This vulnerability is only present on platforms where the size of
"long" is smaller than the size of "void *" (e.g. WIN64).
Please, note that the OpenSSL in the base system is likely vulnerable to
these issues too. But since I am not sure now, I am not mentioning
this in the VuXML entry.
>How-To-Repeat:
http://secunia.com/advisories/34411/
http://www.openssl.org/news/secadv_20090325.txt
>Fix:
The following patch updates the port to 0.9.8k. It passes 'make
validate' and works for my daily operations.
--- update-to-0.9.8k.diff begins here ---
>From c77146d7d0faf0f5226133f75ecf6249e6e81b31 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sat, 28 Mar 2009 17:27:19 +0300
patch-enc_min.c was removed, because the issue was fixed in the vendor
version.
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
security/openssl/Makefile | 3 +--
security/openssl/distinfo | 6 +++---
security/openssl/files/patch-enc_min.c | 11 -----------
3 files changed, 4 insertions(+), 16 deletions(-)
delete mode 100644 security/openssl/files/patch-enc_min.c
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index d283f91..639974b 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -6,8 +6,7 @@
#
PORTNAME= openssl
-PORTVERSION= 0.9.8j
-PORTREVISION= 1
+PORTVERSION= 0.9.8k
CATEGORIES= security devel
MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \
ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 625d8f0..7e1cd3e 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,3 @@
-MD5 (openssl-0.9.8j.tar.gz) = a5cb5f6c3d11affb387ecf7a997cac0c
-SHA256 (openssl-0.9.8j.tar.gz) = 7131242042dbd631fbd83436f42aea1775e7c32f587fa4ada5a01df4c3ae8e8b
-SIZE (openssl-0.9.8j.tar.gz) = 3738359
+MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3
+SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101
+SIZE (openssl-0.9.8k.tar.gz) = 3852259
diff --git a/security/openssl/files/patch-enc_min.c b/security/openssl/files/patch-enc_min.c
deleted file mode 100644
index 7d4af5a..0000000
--- a/security/openssl/files/patch-enc_min.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- crypto/evp/enc_min.c.orig 2008-12-02 19:14:44.000000000 +0100
-+++ crypto/evp/enc_min.c 2009-01-09 18:20:35.000000000 +0100
-@@ -199,7 +199,7 @@
- enc = 1;
- ctx->encrypt = enc;
- }
--#ifdef OPENSSL_NO_FIPS
-+#ifndef OPENSSL_NO_FIPS
- if(FIPS_selftest_failed())
- {
- FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
--
1.6.1.3
--- update-to-0.9.8k.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="31c51f51-1ba3-11de-8775-001b77d09812">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>0.9.8k</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote
cite="http://secunia.com/advisories/34411/">
<p>Some vulnerabilities have been reported in OpenSSL, which
can be exploited by malicious people to bypass certain
security restrictions or cause a DoS (Denial of Service).</p>
<ol>
<li> An error exists in the "ASN1_STRING_print_ex()"
function when printing "BMPString" or "UniversalString"
strings. This can be exploited to trigger an access to
invalid memory and cause a crash via an illegal encoded
string length when e.g. printing the contents of a
certificate.</li>
<li> The "CMS_verify()" function incorrectly handles an
error condition when processing malformed signed attributes.
This can be exploited to trick an application into
considering a malformed set of signed attributes valid and
skip further checks.
<em>NOTE: This vulnerability only affects OpenSSL versions
0.9.8h and later with CMS enabled (disabled by
default).</em>
Successful exploitation
requires access to a previously generated invalid
signature.</li>
<li> An error when processing malformed ASN1 structures can
be exploited to trigger an access to invalid memory and
cause a crash via a specially crafted certificate.
<em>NOTE: This vulnerability is only present on platforms
where the size of "long" is smaller than the size of
"void*" (e.g. WIN64).</em>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0590</cvename>
<cvename>CVE-2009-0591</cvename>
<cvename>CVE-2009-0789</cvename>
<bid>34256</bid>
<url>http://secunia.com/advisories/34411/</url>
<url>http://www.openssl.org/news/secadv_20090325.txt</url>
</references>
<dates>
<discovery>2009-03-25</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list