Package: openssl
Version: 0.9.8g-15+lenny6
Tags: lenny,security,patch

This bug report is based upon CVE-2009-3245
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand 
function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) 
crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which 
has unspecified impact and context-dependent attack vectors.

http://security-tracker.debian.org/tracker/CVE-2009-3245

While the security-tracker includes a "Minor issue" comment in the notes, the 
CVE
states "NVD severity       high (attack range: remote)" so perhaps there should
be a security update for the version in Debian stable.

The upstream fixes are available, visible from
http://cvs.openssl.org/chngview?cn=19309

and that changeset applies cleanly to the .c files in the stable
Debian 0.9.8g-15+lenny6 source. And is attached to this message.

Index: openssl/CHANGES
RCS File: /v/openssl/cvs/openssl/CHANGES,v
rcsdiff -q -kk '-r1.1238.2.188' '-r1.1238.2.189' -u 
'/v/openssl/cvs/openssl/CHANGES,v' 2>/dev/null
--- CHANGES     2010/02/19 18:25:37     1.1238.2.188
+++ CHANGES     2010/02/23 10:36:39     1.1238.2.189
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
 
+  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
+     [Martin Olsson, Neel Mehta]
+
   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
      accommodate for stack sorting, always a write lock!).
      [Bodo Moeller]
Index: openssl/crypto/bn/bn_div.c
RCS File: /v/openssl/cvs/openssl/crypto/bn/bn_div.c,v
rcsdiff -q -kk '-r1.37.2.8' '-r1.37.2.9' -u 
'/v/openssl/cvs/openssl/crypto/bn/bn_div.c,v' 2>/dev/null
--- bn_div.c    2009/06/17 11:26:39     1.37.2.8
+++ bn_div.c    2010/02/23 10:36:41     1.37.2.9
@@ -102,7 +102,7 @@
        /* The next 2 are needed so we can do a dv->d[0]|=1 later
         * since BN_lshift1 will only work once there is a value :-) */
        BN_zero(dv);
-       bn_wexpand(dv,1);
+       if(bn_wexpand(dv,1) == NULL) goto end;
        dv->top=1;
 
        if (!BN_lshift(D,D,nm-nd)) goto end;
Index: openssl/crypto/bn/bn_gf2m.c
RCS File: /v/openssl/cvs/openssl/crypto/bn/bn_gf2m.c,v
rcsdiff -q -kk '-r1.18.2.2' '-r1.18.2.3' -u 
'/v/openssl/cvs/openssl/crypto/bn/bn_gf2m.c,v' 2>/dev/null
--- bn_gf2m.c   2008/06/23 20:46:28     1.18.2.2
+++ bn_gf2m.c   2010/02/23 10:36:41     1.18.2.3
@@ -294,7 +294,8 @@
        if (a->top < b->top) { at = b; bt = a; }
        else { at = a; bt = b; }
 
-       bn_wexpand(r, at->top);
+       if(bn_wexpand(r, at->top) == NULL)
+               return 0;
 
        for (i = 0; i < bt->top; i++)
                {
Index: openssl/crypto/ec/ec2_smpl.c
RCS File: /v/openssl/cvs/openssl/crypto/ec/ec2_smpl.c,v
rcsdiff -q -kk '-r1.14.2.1' '-r1.14.2.2' -u 
'/v/openssl/cvs/openssl/crypto/ec/ec2_smpl.c,v' 2>/dev/null
--- ec2_smpl.c  2006/03/13 23:12:07     1.14.2.1
+++ ec2_smpl.c  2010/02/23 10:36:41     1.14.2.2
@@ -174,8 +174,10 @@
        dest->poly[2] = src->poly[2];
        dest->poly[3] = src->poly[3];
        dest->poly[4] = src->poly[4];
-       bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
-       bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) 
== NULL)
+               return 0;
+       if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) 
== NULL)
+               return 0;
        for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
        for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
        return 1;
@@ -199,12 +201,12 @@
 
        /* group->a */
        if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
-       bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / 
BN_BITS2) == NULL) goto err;
        for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
        
        /* group->b */
        if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
-       bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / 
BN_BITS2) == NULL) goto err;
        for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
                
        ret = 1;
Index: openssl/engines/e_ubsec.c
RCS File: /v/openssl/cvs/openssl/engines/e_ubsec.c,v
rcsdiff -q -kk '-r1.13.2.3' '-r1.13.2.4' -u 
'/v/openssl/cvs/openssl/engines/e_ubsec.c,v' 2>/dev/null
--- e_ubsec.c   2007/09/06 12:43:53     1.13.2.3
+++ e_ubsec.c   2010/02/23 10:36:41     1.13.2.4
@@ -934,7 +934,7 @@
                 priv_key = BN_new();
                 if (priv_key == NULL) goto err;
                 priv_key_len = BN_num_bits(dh->p);
-                bn_wexpand(priv_key, dh->p->top);
+                if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
                 do
                         if (!BN_rand_range(priv_key, dh->p)) goto err;
                 while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@
                 {
                 pub_key = BN_new();
                 pub_key_len = BN_num_bits(dh->p);
-                bn_wexpand(pub_key, dh->p->top);
+                if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
                 if(pub_key == NULL) goto err;
                 }
         else

Reply via email to