Bug#594415: marked as done (CVE-2010-2939: Double free)

Debian Bug Tracking System Tue, 31 Aug 2010 07:00:31 -0700

Your message dated Tue, 31 Aug 2010 13:59:29 +0000
with message-id <e1oqrn3-0005wn...@franck.debian.org>
and subject line Bug#594415: fixed in openssl 0.9.8g-15+lenny8
has caused the Debian Bug report #594415,
regarding CVE-2010-2939: Double free
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
594415: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssl
Version: 0.9.8o-1
Severity: grave
Tags: security

Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939

Solar Designer posted an analysis on oss-security:

---

> Georgi Guninski found a double free issue in openssl's client implementation:
> http://www.mail-archive.com/openssl-...@openssl.org/msg28043.html
> The affected code also is in pre 1.0 versions but only 1.0 uses ECDH
> for ssl by default AFAICT.

I took a brief look at the code.  ECDH was introduced somewhere between
0.9.7 and 0.9.8.  0.9.7m doesn't have it (so it was never backported to
those stable releases), 0.9.8 does.  The double-free bug, or at least
the code being patched now, is already present in 0.9.8.

Here's the trivial patch:

http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html

which should work for 0.9.8+ (applies cleanly to 0.9.8, with an offset)
and is not needed for older versions.

Alexander

---

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-2         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-1         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: openssl
Source-Version: 0.9.8g-15+lenny8

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
  to main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
libssl-dev_0.9.8g-15+lenny8_amd64.deb
  to main/o/openssl/libssl-dev_0.9.8g-15+lenny8_amd64.deb
libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
  to main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
  to main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
openssl_0.9.8g-15+lenny8.diff.gz
  to main/o/openssl/openssl_0.9.8g-15+lenny8.diff.gz
openssl_0.9.8g-15+lenny8.dsc
  to main/o/openssl/openssl_0.9.8g-15+lenny8.dsc
openssl_0.9.8g-15+lenny8_amd64.deb
  to main/o/openssl/openssl_0.9.8g-15+lenny8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Aug 2010 19:49:39 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-15+lenny8
Distribution: stable-security
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 594415
Changes: 
 openssl (0.9.8g-15+lenny8) stable-security; urgency=low
 .
   * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
Checksums-Sha1: 
 ce39e6240b326163e7b5e4ca0c25d4ceaafc77ec 1973 openssl_0.9.8g-15+lenny8.dsc
 e9017877390ee6fb04109ead10180d550a403eb6 60148 openssl_0.9.8g-15+lenny8.diff.gz
 bf7afa987a877a33c606269ad722bf9c2d4aa3f7 1043270 
openssl_0.9.8g-15+lenny8_amd64.deb
 72a517ca68e7021d7697238b1b530449f112dfbd 975790 
libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
 835bbc1927486cc84473f153bc60df2d81f4148c 638416 
libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
 8f93b091e71f244d63603c608ca06d9d2931bdf2 2243092 
libssl-dev_0.9.8g-15+lenny8_amd64.deb
 849ba56e08c73fce511eb24bf0ddb8d53009ee3b 1627634 
libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
Checksums-Sha256: 
 c91eb5b2c0200debb80ce9f6fc8a901eb0756d0ec91c705ba03dd2978b37e95a 1973 
openssl_0.9.8g-15+lenny8.dsc
 a1b981e9896f95639f32f9f060ac9c5abfc7c9e27ae31f7b8be3ed18b73cd06e 60148 
openssl_0.9.8g-15+lenny8.diff.gz
 ece7b84d1e59f1e9159a28134442d7b51faf13fb1e2f6517ce9596201bf14cb4 1043270 
openssl_0.9.8g-15+lenny8_amd64.deb
 18ad065450cb808fa45e5da2af8eb32d204604d679fa152e04b3f898dc857b0a 975790 
libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
 6ef97a7691ba03de1ef4a5097d0e5d9ec9f46a4ee3f047f730b3bfc5a3e610cb 638416 
libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
 a9242c0b4c6fc54c0e3682dc96329c449e8b0b8161d93d26929b34a34d48869a 2243092 
libssl-dev_0.9.8g-15+lenny8_amd64.deb
 8037ad7f0c6fe78cdb7604fa3b707540ab6cc8591481d5cb63c8e770d0dc1371 1627634 
libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
Files: 
 b3bc5cc9d4396dd53408d1523e5d9922 1973 utils optional 
openssl_0.9.8g-15+lenny8.dsc
 e011a196c7a96bdcfba8e8d1c7842d7a 60148 utils optional 
openssl_0.9.8g-15+lenny8.diff.gz
 7ccee021eceb10b6bcd55222f0f9c00f 1043270 utils optional 
openssl_0.9.8g-15+lenny8_amd64.deb
 04b625095430068834e3621b47749d60 975790 libs important 
libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
 d578d3861d7402f70d340cb138e969c8 638416 debian-installer optional 
libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
 0b4a82a5a95df9d092498065e2c69d88 2243092 libdevel optional 
libssl-dev_0.9.8g-15+lenny8_amd64.deb
 e86e98d321e13f6941a5b14568cecbae 1627634 libdevel extra 
libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMdrCiAAoJEGpMZM6DE7Xw6L8QAIJD94C7jl8/8xMzb7/fhDeK
jneEgx6+nhnUzMFxanu1RlvAfyUcEcWrFEH4Mfs80cbXQ8DJv27ipDx2d5v6rS3z
lECrsrmcPdCLLtDKOrM2Fhmnkb1MxlBIpNYJIt+sQ5+prMFA8NUjSj8t+J1R/eup
EBKe/kbYUMGPJgeGxQbKe4Dup3r6r1tK4LbCaB4OA5S13idweS8S6EQBqWuFnnUf
JN73Yk5WWgAtn9hbvhIa7OY/6csmEZKYHfXHNLsIh1T1luLoZRsT6S4o56r9Gam1
/k5DM1TvyUGLa/uIOSzWqEWfwtlQo7CbO1UiV1SBmvay6b2mc52sBLHCUC348t5f
HwBlia7aSpou0g0+oPsdewcxB767OO8Qo3JnBIJhN7DcFDPsGBotVAmb+H3bHjxW
xldNiGewmJq4/RHOa+KkqucGXWr3rI31HLYSt9NsZ5z1Vh4cDiyQ8CjmFUuAEDv8
/pVdGXHGKLQnY5l07kAq72dNOTneqLf4abqnRywhmmxOw+uF5CN0d1aaghJc25+8
w/yl9MmCMBNZr2EPXuzBdw0Rg8ByOszs8YiSLfCX6FBL1Xfm1P2ouD/XPpOQLCMv
3QPpQLtFdscJ6nGLrDD2SwOqlnlr3ladX5cPJpd8B/U2Hrtj3bHuxxrjD7WDnJ4N
XqodgU5YiNZjJT/8O3KR
=1zIV
-----END PGP SIGNATURE-----

--- End Message ---

Bug#594415: marked as done (CVE-2010-2939: Double free)

Reply via email to