Security-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2010-011: OpenSSL Double Free Arbitrary Code Execution

Hash: SHA1

                 NetBSD Security Advisory 2010-011

Topic:          OpenSSL Double Free Arbitrary Code Execution

Version:        NetBSD-current:         source prior to August 11, 2010
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 openssl package prior to 0.9.8onb1

Severity:       Denial of Service and potential arbitrary code execution

Fixed:          NetBSD-current:         August 12, 2010
                NetBSD-5-0 branch:      September 8, 2010
                NetBSD-5 branch:        September 8, 2010
                NetBSD-4-0 branch:      October 13, 2010
                NetBSD-4 branch:        October 13, 2010
                pkgsrc 2010Q3:          openssl-0.9.8onb1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Client programs using the openssl library to open and process SSLv3 and TLSv1
connections may crash or execute arbitrary code if the server provides a
specially crafted SSL key that can inject arbitrary code.

This vulnerability has been assigned CVE-2010-2939.

Technical Details

A failure to set the pointer to a freed buffer to NULL in the
ssl3_get_key_exchange() function in the OpenSSL client (ssl/s3_clnt.c)
when using ECDH, results in a double free which in turn allows
context-dependent attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted private key with
an invalid prime.

Solutions and Workarounds

- - Patch, recompile, and reinstall libssl.

  CVS branch    file                                                    revision
  ------------- ----------------                                        --------
  HEAD          src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c      1.2

  CVS branch    file                                            revision
  ------------- ----------------                                --------
  netbsd-5-0    src/crypto/dist/openssl/ssl/s3_clnt.c 

  netbsd-5      src/crypto/dist/openssl/ssl/s3_clnt.c 

  netbsd-4-0    src/crypto/dist/openssl/ssl/s3_clnt.c 

  netbsd-4      src/crypto/dist/openssl/ssl/s3_clnt.c 

The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

        # cd src
        # cvs update -d -P -r BRANCH crypto/external/bsd/openssl/dist/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../crypto/external/bsd/openssl/lib/libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

* NetBSD 5.*/4.*:

        # cd src
        # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

Thanks To

Thanks to Georgi Guninski for discovering the problem and Mounir
IDRASSI for providing the fix.  Thanks also to Matthias Drochner
for providing the necessary patches for NetBSD HEAD and netbsd-5
as well as information on the impact of the vulnerability, and
Christos Zoulas for providing the patch to netbsd-4.

Revision History

        2010-10-28      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-011.txt,v 1.1 2010/10/27 21:41:46 tonnerre Exp $

Version: GnuPG v1.4.10 (NetBSD)


Home | Main Index | Thread Index | Old Index