-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-011 ================================= Topic: OpenSSL Double Free Arbitrary Code Execution Version: NetBSD-current: source prior to August 11, 2010 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 4.0.*: affected NetBSD 4.0: affected pkgsrc: openssl package prior to 0.9.8onb1 Severity: Denial of Service and potential arbitrary code execution Fixed: NetBSD-current: August 12, 2010 NetBSD-5-0 branch: September 8, 2010 NetBSD-5 branch: September 8, 2010 NetBSD-4-0 branch: October 13, 2010 NetBSD-4 branch: October 13, 2010 pkgsrc 2010Q3: openssl-0.9.8onb1 corrects this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Client programs using the openssl library to open and process SSLv3 and TLSv1 connections may crash or execute arbitrary code if the server provides a specially crafted SSL key that can inject arbitrary code. This vulnerability has been assigned CVE-2010-2939. Technical Details ================= A failure to set the pointer to a freed buffer to NULL in the ssl3_get_key_exchange() function in the OpenSSL client (ssl/s3_clnt.c) when using ECDH, results in a double free which in turn allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. Solutions and Workarounds ========================= - - Patch, recompile, and reinstall libssl. CVS branch file revision ------------- ---------------- -------- HEAD src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c 1.2 CVS branch file revision ------------- ---------------- -------- netbsd-5-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.1.2.1 netbsd-5 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.2 netbsd-4-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.1.2.2 netbsd-4 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.3 The following instructions briefly summarize how to update and recompile libssl. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) To update from CVS, re-build, and re-install libc and sftp: * NetBSD-current: # cd src # cvs update -d -P -r BRANCH crypto/external/bsd/openssl/dist/ssl # cd lib/libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../crypto/external/bsd/openssl/lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*/4.*: # cd src # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl # cd lib/libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= Thanks to Georgi Guninski for discovering the problem and Mounir IDRASSI for providing the fix. Thanks also to Matthias Drochner for providing the necessary patches for NetBSD HEAD and netbsd-5 as well as information on the impact of the vulnerability, and Christos Zoulas for providing the patch to netbsd-4. Revision History ================ 2010-10-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-011.txt,v 1.1 2010/10/27 21:41:46 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMyJ8dAAoJEAZJc6xMSnBuX+AQAM4AsQlkFXUusYpbU0j9Hcc4 +s4wGSHRrlF02xydKRWdryLEIb3p9yOz9GkMVXDokUDGuarKyfY7yJt6LNWWNRYh qR80CLQ7Mi+2XotZLMcDBldcS2ZOm09ZWH1JLzYDGZEJMNhyNdfI+Tg1EtIABoqF F6jWn3eM2Vdn9q52GgiCz+Uo8DSEJxglppc5yR2q9UMtJCnQdPA4Ccc/2uKtyvEv 2d8MYXiSc7aYkvs5uw0iOY4Kqrhm77Bpi50jb5xm7Zcf9ANA/s3EpY+VkDQIOoaU 7kTm7o/fUlxMbb2PDD2xDLHY43Ecjc1bC4DlnQW87GsbBddB5Wh5gn/jjT2+XYxg xkhP400O04YgM8MrxGEflJH+nAY/wZZkmkQSoxqW0JXr9rNH8ZqeKXR7BeCzOw2Z 6Yxh9f3xLApdbl1k70eYMM4dH6QlmRFIV82KJhgCCeBqKcPqFVBiBwfQkBtM7mEt frpetXsrXATPS5nJTcOchHhL+muBFEnY7Ek0998X0Hxm0mL5q/NsdyV3+USUwL6n 8p63d8gA+nWk0AX7TqB0iRyQhiMqne00o3SeeVMa8w+5sXqC9pVXg80qXZQa5WR5 1od7Cf3F+daKwZ/xHYuaTclWNtFTxjARg5MJ9561QHBQpe5TTwweNBcYwdPRLBDm hCi3yQ36ozvzS+xUy4Bc =Ur1p -----END PGP SIGNATURE-----