Bug#594415: marked as done (CVE-2010-2939: Double free)

Debian Bug Tracking System Thu, 26 Aug 2010 10:51:20 -0700

Your message dated Thu, 26 Aug 2010 17:47:18 +0000
with message-id <e1oogxm-0002l9...@franck.debian.org>
and subject line Bug#594415: fixed in openssl 0.9.8o-2
has caused the Debian Bug report #594415,
regarding CVE-2010-2939: Double free
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
594415: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssl
Version: 0.9.8o-1
Severity: grave
Tags: security

Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939

Solar Designer posted an analysis on oss-security:

---

> Georgi Guninski found a double free issue in openssl's client implementation:
> http://www.mail-archive.com/openssl-...@openssl.org/msg28043.html
> The affected code also is in pre 1.0 versions but only 1.0 uses ECDH
> for ssl by default AFAICT.

I took a brief look at the code.  ECDH was introduced somewhere between
0.9.7 and 0.9.8.  0.9.7m doesn't have it (so it was never backported to
those stable releases), 0.9.8 does.  The double-free bug, or at least
the code being patched now, is already present in 0.9.8.

Here's the trivial patch:

http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html

which should work for 0.9.8+ (applies cleanly to 0.9.8, with an offset)
and is not needed for older versions.

Alexander

---

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-2         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-1         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: openssl
Source-Version: 0.9.8o-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8o-2_amd64.udeb
  to main/o/openssl/libcrypto0.9.8-udeb_0.9.8o-2_amd64.udeb
libssl-dev_0.9.8o-2_amd64.deb
  to main/o/openssl/libssl-dev_0.9.8o-2_amd64.deb
libssl0.9.8-dbg_0.9.8o-2_amd64.deb
  to main/o/openssl/libssl0.9.8-dbg_0.9.8o-2_amd64.deb
libssl0.9.8_0.9.8o-2_amd64.deb
  to main/o/openssl/libssl0.9.8_0.9.8o-2_amd64.deb
openssl_0.9.8o-2.debian.tar.gz
  to main/o/openssl/openssl_0.9.8o-2.debian.tar.gz
openssl_0.9.8o-2.dsc
  to main/o/openssl/openssl_0.9.8o-2.dsc
openssl_0.9.8o-2_amd64.deb
  to main/o/openssl/openssl_0.9.8o-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Aug 2010 18:25:29 +0200
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8o-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 594415
Changes: 
 openssl (0.9.8o-2) unstable; urgency=high
 .
   * Fix CVE-2010-2939: Double free using ECDH. (Closes: #594415)
Checksums-Sha1: 
 37f88b2c9c8ce74989d8e29acdd16e55d295d24c 1967 openssl_0.9.8o-2.dsc
 fe2136e237f643962fa94096e28ca5916543e084 59243 openssl_0.9.8o-2.debian.tar.gz
 de25ae06394d2ba34d70602547214f28e86e33cc 1059178 openssl_0.9.8o-2_amd64.deb
 4294f425ab7c6054590428100fd3585972b22e68 945436 libssl0.9.8_0.9.8o-2_amd64.deb
 6e0689b5baeacde4da231497d3293ac218df0f78 642764 
libcrypto0.9.8-udeb_0.9.8o-2_amd64.udeb
 c28b8e8cce0797fd7368f3bed610e327ad4b0df2 2296804 libssl-dev_0.9.8o-2_amd64.deb
 944874ac3ace165786e0afee7d1dfefe8a7e7618 1493268 
libssl0.9.8-dbg_0.9.8o-2_amd64.deb
Checksums-Sha256: 
 35e31fa33dc1ca13942926f9405835401536c7f12ddf2f3b8463fdf2cd2ed249 1967 
openssl_0.9.8o-2.dsc
 b2a473a80fd1f6cc6d6cbadf6773f1a970c634892816d9d9a1aeb5625a92abec 59243 
openssl_0.9.8o-2.debian.tar.gz
 c1c49a11e1ed0971b3b581057cd07f344484ee5bb829ebd18f5a8ba2020b82c6 1059178 
openssl_0.9.8o-2_amd64.deb
 ab96e5ed1eb8b01806faac41f86863afea036239333d003bd4715d18b4c5a683 945436 
libssl0.9.8_0.9.8o-2_amd64.deb
 a4ebea246590fb02de28b79e73251a6d8856546df8f2c350cdcc2b0b3578f4ac 642764 
libcrypto0.9.8-udeb_0.9.8o-2_amd64.udeb
 36c2bb2c232a323c923a7822cf93b0e6010145fc55f41aa7878ece4794835615 2296804 
libssl-dev_0.9.8o-2_amd64.deb
 425ee8b9dadf1901da8304b6e9da90b57aeccdf2742a438dfeee453f362a2652 1493268 
libssl0.9.8-dbg_0.9.8o-2_amd64.deb
Files: 
 44f733ea6ebd7c42d810ed4e56d28fa3 1967 utils optional openssl_0.9.8o-2.dsc
 a8e168d1b5aa794209e4298a8bed919a 59243 utils optional 
openssl_0.9.8o-2.debian.tar.gz
 56adf9a1f6a32f605420f5b8df29d044 1059178 utils optional 
openssl_0.9.8o-2_amd64.deb
 21ea85c5b47f3ef0b51210fde28225b0 945436 libs important 
libssl0.9.8_0.9.8o-2_amd64.deb
 bef24904cda749356c99eb28a51a41f3 642764 debian-installer optional 
libcrypto0.9.8-udeb_0.9.8o-2_amd64.udeb
 b8ecf6b59a3da53192a4d41d9307d633 2296804 libdevel optional 
libssl-dev_0.9.8o-2_amd64.deb
 ab7d3d1ef05dc5e588866724e9196c70 1493268 debug extra 
libssl0.9.8-dbg_0.9.8o-2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMdqWIAAoJEGpMZM6DE7Xw9ZMP/1vDla2TWiTtqKzGEigFtkIJ
xmgVOxnRTbO3DMGwSwZZDpx1JTkjZAbSkz2FW1AOIGliaJoaKKT8hit+8xiiP/VI
OqmFSLXwwgDcctH2g57IUulGxFzwuxjyXs0A6otnQIGBEM7enbkHyicIx4XMJ0Gu
gfSdPmO1re1rkPry05xaNfLM/EVSTmYFTGlSGAiK8fU3xWSZipDZ1ga0IcUg1kh6
bqkO7ARFjjd+kLgQ/UW+d/G/prE2jG0Xs8QpwPsb6ni9hqIJEYF87PgvLRKKz340
ZPnlHvQuwzitUkHXKowK2kG+iOiufhBdUtW8RHjesfbVhfCdf1pdxwO1uX+tjbLR
OHQQvcpzZpa3qKuRJG1du6kkHrZ+v9ZxyXDJs41BsVUTOvSjy66FBTqJTHptIBmW
9NqdEfpFdH31LCjFlxwix4YeegfD/MTq24hScqkF+VRo8BETkEasWib+lxgnwndZ
k3IDil0AEfINMzk+HU3YtM/q9sftd+sbz0UxUj1g4857/MAGq5MtzoON46T2WeJw
GUHoRQNpLoCOidAEy9bU05xIKVNcyYwC/OOFGE7IDgBY476cuiGwE5nsAybjdnuT
Z5j5Sky3R89thcoYtG83oHTp3iMxKv6gEyhHGaKiNjOQ9px5ax6JlUPUbxaMnnOr
1n59F7cPbR7jlI7YtjeJ
=/6W+
-----END PGP SIGNATURE-----

--- End Message ---

Bug#594415: marked as done (CVE-2010-2939: Double free)

Reply via email to