tags 444435 - sarge etch clone 444435 -1 reassign -1 openssl097 0.9.7k-3.1 thanks
On Fri, Sep 28, 2007 at 04:16:02PM +0200, Axel Beckert wrote: > Package: openssl > Version: 0.9.8c-4, 0.9.7e-3sarge4 > Severity: critical > Tags: sarge, etch, security Since this applies to sid (and oldstable) too, those tags are just wrong. So we have those versions: openssl: Oldstable 0.9.7e-3sarge4 Stable 0.9.8c-4 Testing 0.9.8e-6 Unstable 0.9.8e-8 openssl097: Stable 0.9.7k-3.1 Testing 0.9.7k-3.1 openssl096 Oldstable 0.9.6m-1sarge4 All those versions are probably vulnerable. I'm not sure if the security team wants to have a DSA covering oldstable's versions. > According to http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5135 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 is not > yet available): The patch for it seems to be at: http://cvs.openssl.org/chngview?cn=16587 I've also attached it. Kurt > Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL > 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary > code via a crafted packet that triggers a one-byte buffer underflow. > > According to the German IT news magazin "Heise Online", 0.9.7m and > 0.9.8e are also affected: > http://www.heise.de/security/news/meldung/96710 > > Original source seems to be this Bugtraq posting: > http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded > > According to this posting, all lower versions are affected, too. > > The release dates of 0.9.8e and 0.9.7m and the time line in the above > mentioned Bugtraq posting suggest that not only 0.9.7l and 0.9.8d but > also 0.9.7m and 0.9.8e are affected -- as Heise wrote.
Index: ssl_lib.c =================================================================== RCS file: /home/kurt/openssl/cvs/openssl-cvs/openssl/ssl/ssl_lib.c,v retrieving revision 1.133.2.9 retrieving revision 1.133.2.10 diff -u -r1.133.2.9 -r1.133.2.10 --- ssl_lib.c 12 Aug 2007 18:59:02 -0000 1.133.2.9 +++ ssl_lib.c 19 Sep 2007 12:16:21 -0000 1.133.2.10 @@ -1210,7 +1210,6 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; - const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; @@ -1223,20 +1222,21 @@ sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { - /* Decrement for either the ':' or a '\0' */ - len--; + int n; + c=sk_SSL_CIPHER_value(sk,i); - for (cp=c->name; *cp; ) + n=strlen(c->name); + if (n+1 > len) { - if (len-- <= 0) - { - *p='\0'; - return(buf); - } - else - *(p++)= *(cp++); + if (p != buf) + --p; + *p='\0'; + return buf; } + strcpy(p,c->name); + p+=n; *(p++)=':'; + len-=n+1; } p[-1]='\0'; return(buf);