ports/133156: [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325

Eygene Ryabinkin rea-fbsd at codelabs.ru
Sat Mar 28 14:50:03 UTC 2009 

>Number:         133156
>Category:       ports
>Synopsis:       [patch] [vuxml] security/openssl: update to 0.9.8k thus fixing secadv_20090325
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 28 14:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-PRERELEASE amd64

>Description:

Multiple vulnerabilities were fixed in OpenSSL 0.9.8k:

1) An error exists in the "ASN1_STRING_print_ex()" function when
printing "BMPString" or "UniversalString" strings. This can be exploited
to trigger an access to invalid memory and cause a crash via an illegal
encoded string length when e.g. printing the contents of a certificate.

2) The "CMS_verify()" function incorrectly handles an error condition
when processing malformed signed attributes. This can be exploited to
trick an application into considering a malformed set of signed
attributes valid and skip further checks.

NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later
with CMS enabled (disabled by default).

Successful exploitation requires access to a previously generated
invalid signature.

3) An error when processing malformed ASN1 structures can be exploited
to trigger an access to invalid memory and cause a crash via a specially
crafted certificate.

NOTE: This vulnerability is only present on platforms where the size of
"long" is smaller than the size of "void *" (e.g. WIN64).


Please, note that the OpenSSL in the base system is likely vulnerable to
these issues too.  But since I am not sure now, I am not mentioning
this in the VuXML entry.

>How-To-Repeat:

http://secunia.com/advisories/34411/
http://www.openssl.org/news/secadv_20090325.txt

>Fix:

The following patch updates the port to 0.9.8k.  It passes 'make
validate' and works for my daily operations.

--- update-to-0.9.8k.diff begins here ---
>From c77146d7d0faf0f5226133f75ecf6249e6e81b31 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sat, 28 Mar 2009 17:27:19 +0300

patch-enc_min.c was removed, because the issue was fixed in the vendor
version.

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 security/openssl/Makefile              |    3 +--
 security/openssl/distinfo              |    6 +++---
 security/openssl/files/patch-enc_min.c |   11 -----------
 3 files changed, 4 insertions(+), 16 deletions(-)
 delete mode 100644 security/openssl/files/patch-enc_min.c

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index d283f91..639974b 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssl
-PORTVERSION=	0.9.8j
-PORTREVISION=	1
+PORTVERSION=	0.9.8k
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 625d8f0..7e1cd3e 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,3 @@
-MD5 (openssl-0.9.8j.tar.gz) = a5cb5f6c3d11affb387ecf7a997cac0c
-SHA256 (openssl-0.9.8j.tar.gz) = 7131242042dbd631fbd83436f42aea1775e7c32f587fa4ada5a01df4c3ae8e8b
-SIZE (openssl-0.9.8j.tar.gz) = 3738359
+MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3
+SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101
+SIZE (openssl-0.9.8k.tar.gz) = 3852259
diff --git a/security/openssl/files/patch-enc_min.c b/security/openssl/files/patch-enc_min.c
deleted file mode 100644
index 7d4af5a..0000000
--- a/security/openssl/files/patch-enc_min.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- crypto/evp/enc_min.c.orig	2008-12-02 19:14:44.000000000 +0100
-+++ crypto/evp/enc_min.c	2009-01-09 18:20:35.000000000 +0100
-@@ -199,7 +199,7 @@
- 			enc = 1;
- 		ctx->encrypt = enc;
- 		}
--#ifdef OPENSSL_NO_FIPS
-+#ifndef OPENSSL_NO_FIPS
- 	if(FIPS_selftest_failed())
- 		{
- 		FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-- 
1.6.1.3
--- update-to-0.9.8k.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="31c51f51-1ba3-11de-8775-001b77d09812">
    <topic>OpenSSL -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>openssl</name>
        <range><lt>0.9.8k</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/34411/">
          <p>Some vulnerabilities have been reported in OpenSSL, which
          can be exploited by malicious people to bypass certain
          security restrictions or cause a DoS (Denial of Service).</p>
          <ol>
            <li> An error exists in the "ASN1_STRING_print_ex()"
            function when printing "BMPString" or "UniversalString"
            strings. This can be exploited to trigger an access to
            invalid memory and cause a crash via an illegal encoded
            string length when e.g. printing the contents of a
            certificate.</li>
            <li> The "CMS_verify()" function incorrectly handles an
            error condition when processing malformed signed attributes.
            This can be exploited to trick an application into
            considering a malformed set of signed attributes valid and
            skip further checks.
              <em>NOTE: This vulnerability only affects OpenSSL versions
              0.9.8h and later with CMS enabled (disabled by
              default).</em>
            Successful exploitation
            requires access to a previously generated invalid
            signature.</li>
            <li> An error when processing malformed ASN1 structures can
            be exploited to trigger an access to invalid memory and
            cause a crash via a specially crafted certificate.
              <em>NOTE: This vulnerability is only present on platforms
              where the size of "long" is smaller than the size of
              "void*" (e.g.  WIN64).</em>
            </li>
          </ol>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0590</cvename>
      <cvename>CVE-2009-0591</cvename>
      <cvename>CVE-2009-0789</cvename>
      <bid>34256</bid>
      <url>http://secunia.com/advisories/34411/</url>
      <url>http://www.openssl.org/news/secadv_20090325.txt</url>
    </references>
    <dates>
      <discovery>2009-03-25</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list