Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2009-012: SHA2 implementation potential buffer overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2009-012
                 =================================

Topic:          SHA2 implementation potential buffer overflow

Version:        NetBSD-current:         affected prior to 2009-05-26
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected

Severity:       Denial of Service

Fixed:          NetBSD-current:         May 26, 2009
                NetBSD-5-0 branch:      Jul 11, 2009
                NetBSD-5 branch:        Jul 11, 2009
                NetBSD-4-0 branch:      Jul 22, 2009
                NetBSD-4 branch:        Jul 22, 2009

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An error initializing a SHA2 context causes vulnerable applications using
libcrypto to suffer from a 4- or 8-byte buffer overflow (for SHA256 and
SHA512 correspondingly) with fixed content, potentially causing
applications to crash.


Technical Details
=================

A program using the SHA2 implementation from sys/sha2.h in NetBSD and
linking against libcrypto is vulnerable to a 4- or 8-byte buffer
overflow (for SHA256 and SHA512 correspondingly) with fixed content.

The overflow occurs at the time the hash init function is called (e.g.
SHA256_Init). The init functions then pass the wrong size for the
context as an argument to the memset function which then overwrites
4 bytes of the memory buffer located after the one holding the context.

In the NetBSD base system, this affects the libssh library as well as
the pkg_install framework. In libssh, the overflow occurs on the heap
of the program using it, in pkg_install a stack overflow occurs.


Solutions and Workarounds
=========================

A workaround for this issue for programs in the NetBSD base system
is to disable SHA256 as a HMAC for the secure shell and to avoid
using the audit facility as well as signed packages.

To determine whether or not a package is signed, run the command

        % tar tzf package.tgz

on the package. If the first file of the package is +PKG_HASH,
then the package is signed.

The following instructions describe how to upgrade your libcrypto
and libc binaries by updating your source tree and rebuilding and
installing a new version of the three facilities.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-05-26
        should be upgraded to NetBSD-current dated 2009-05-27 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                common/lib/libc/hash/sha2
                distrib/sets/lists
                lib/libc
                lib/libcrypto
                sys/sys

        To update from CVS, re-build, and re-install lorem:
                # cd src
                # cvs update -d -P common/lib/libc/hash/sha2
                # cvs update -d -P distrib/sets/lists
                # cvs update -d -P lib/libc
                # cvs update -d -P lib/libcrypto
                # cvs update -d -P sys/sys
                # cd sys/sys
                # make USETOOLS=no cleandir
                # make USETOOLS=no includes
                # cd ../../lib/libc
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypt
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypto
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 5.*:

        Systems running NetBSD 5.* sources dated from before
        2009-07-11 should be upgraded from NetBSD 5.* sources dated
        2009-07-12 or later.

        The following files/directories need to be updated from the
        netbsd-5 or netbsd-5-0 branches:
                common/lib/libc/hash/sha2
                distrib/sets/lists
                lib/libc
                lib/libcrypto
                sys/sys

        To update from CVS, re-build, and re-install libc and libcrypto:

                # cd src
                # cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
                # cvs update -r <branch_name> -d -P distrib/sets/lists
                # cvs update -r <branch_name> -d -P lib/libc
                # cvs update -r <branch_name> -d -P lib/libcrypto
                # cvs update -r <branch_name> -d -P sys/sys
                # cd sys/sys
                # make USETOOLS=no cleandir
                # make USETOOLS=no includes
                # cd ../../lib/libc
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypt
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypto
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2009-07-22 should be upgraded from NetBSD 4.* sources dated
        2009-07-23 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                common/lib/libc/hash/sha2
                distrib/sets/lists
                lib/libc
                lib/libcrypto
                sys/sys

        To update from CVS, re-build, and re-install libc and libcrypto:

                # cd src
                # cvs update -r <branch_name> -d -P common/lib/libc/hash/sha2
                # cvs update -r <branch_name> -d -P distrib/sets/lists
                # cvs update -r <branch_name> -d -P lib/libc
                # cvs update -r <branch_name> -d -P lib/libcrypto
                # cvs update -r <branch_name> -d -P sys/sys
                # cd sys/sys
                # make USETOOLS=no cleandir
                # make USETOOLS=no includes
                # cd ../../lib/libc
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypt
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install
                # cd ../libcrypto
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Joerg Sonnenberger for finding, reporting and fixing the issue.


Revision History
================

        2009-07-28      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-012.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQIcBAEBAgAGBQJKb0ijAAoJEAZJc6xMSnBuBEEP+wa1ybcKmHkq16evmfBdGIpM
9Z7fVSvx5fDHMvUDGKL5tST/CIoRU379yiBIj/VS0tlUV9TLo1TPdrLO9XON0ara
CaIP3DK766+hjya0PwuVuy8yVhUQ6Dz2rKTBjSpmz38qv8RfvR4G6iwF3W6YNvNu
pF3vjEJIbQdT6Fen3pzb4D9aiQ6SvEZdknGGR2HmebY2ig4un+bsIJc3x+Iv87Iw
qpuJ6KQSnfLxx5qFVO5Sax8SNdL3VmQQcFhVgO3tg/ddcFUVwngXS2Wg9ChczQWt
7wM7OVwXOL1Vr0s2NcRlsIppHXvKRQxu54CuEQM6gsPcleJhsBVFo9/AbeSw4SAx
rLiR/jQ6vsC9/28ZpKGQkrtnf5fxP2R7uQIN2nylCiB+s5UDmAHAYTt1tSTMt4ou
+xgCX0OnE9iB68FoJYq1YjHMc3n4GclJz3lijXsRBzgGaSHZJc3ywYtO6puS8yUI
mXKWPdGthCDVXWiKUOBZYcuS4dv7RoA+VhI3Q1P/kwFQ9xXqb9XWSQYmLycxleA8
BjjSEuIlw5tdAnufDJA8ZRXl4gP0qhrKfPtyYkLUj6pezcyPU1QD61yK0euMr3sq
lO97lYhYqtc2gMJaOgVYoHUqbsemuRNEOdHMBeqIoC8MYYH5La6Tuub26Dwz7eDV
Mxw6htX0zEm1S/1ld7ne
=GZuc
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index