146 lines
5.4 KiB
Text
146 lines
5.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-14:09.openssl Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: OpenSSL use-after-free vulnerability
|
|
|
|
Category: contrib
|
|
Module: openssl
|
|
Announced: 2014-04-30
|
|
Affects: FreeBSD 10.x.
|
|
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
|
|
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
|
|
CVE Name: CVE-2010-5298
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
|
|
|
0. Revision History
|
|
|
|
v1.0 2014-04-30 Initial release.
|
|
v1.1 2014-04-30 Added patch applying step in Solutions section.
|
|
|
|
I. Background
|
|
|
|
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
|
|
a collaborative effort to develop a robust, commercial-grade, full-featured
|
|
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
|
|
and Transport Layer Security (TLS v1) protocols as well as a full-strength
|
|
general purpose cryptography library.
|
|
|
|
OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
|
|
requests the library to release the memory it holds when a read or write buffer
|
|
is no longer needed for the context.
|
|
|
|
II. Problem Description
|
|
|
|
The buffer may be released before the library have finished using it. It is
|
|
possible that a different SSL connection in the same process would use the
|
|
released buffer and write data into it.
|
|
|
|
III. Impact
|
|
|
|
An attacker may be able to inject data to a different connection that they
|
|
should not be able to.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems that do not use OpenSSL to implement
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
|
|
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
|
|
to handle multiple SSL connections, are not vulnerable.
|
|
|
|
The FreeBSD base system service daemons and utilities do not use the
|
|
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
|
|
mode to reduce their memory footprint and may therefore be affected by this
|
|
issue.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch
|
|
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc
|
|
# gpg --verify openssl.patch.asc
|
|
|
|
b) Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
Recompile the operating system using buildworld and installworld as
|
|
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all deamons using the library, or reboot the system.
|
|
|
|
3) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r265122
|
|
releng/10.0/ r265124
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig>
|
|
|
|
<URL:https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest>
|
|
|
|
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.0.22 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJTYUi5AAoJEO1n7NZdz2rnk/8QAMUvAUQzbd0PE8QYH2ZlnHuO
|
|
fhY8xeIxXzK7/e4WOpXDmC68phxLcGQF4YRtX7Wu/yEchIk7cJPocx6kkht8CpCG
|
|
t7BpgQOyWY7QRHkIg+hzcooWJFK8nS9miXrwI0vOgWNIbI+iNaSZwNcBsrqF45hI
|
|
U1/Z6EWFqmEq+VJBtzpp6F7etYYn8OomBF0XFj13Dtr1UnuG+QqOF0c7FH4o0oiL
|
|
+LpTPlgpubOR1wIx/7nR4j5VeXUwHK3Lrv9X5395YmLVca6pHzeG3pFjGuJJMf8E
|
|
9t4Y13EfnetO1AEX7Up86i2h28P8nTqmse+m60LAAwMuHpTRvzruQNvzBguv5Nb7
|
|
kVoZKbHb8Ji2rrUEQ//tEYcp57iry0ukvP3uzyvA8q17FeGvx/aJl9Wcc6s+Untd
|
|
n2WbVvYLnGGNWWI35Yi5eo7TCKcj8z/s0Wgb0omWh7cz7YCjveoG/2x9BHwVGunf
|
|
VxEmhXPW8HKSEVf/w/yEIAJIechpRv3q9y+Yh5vgMzVqwoP3nXESuQxpzm6Bx/2P
|
|
0ZV+IQNAGRXIBQWqjDqC0yZJ/8QNkp+NDRE8ZZHjxnJeQZCayCaEBmjQZcU9qRHP
|
|
Y2eHu+AiDSi5j2hKyWwY59xlUJ+hBCejzSc0kGiuNq1GWIKltGZ48dnN+H4d4Z6C
|
|
ZYF6H9F0ykvTxWFfVlFx
|
|
=H1mN
|
|
-----END PGP SIGNATURE-----
|