Contributed by pitrh on from the may contain dangerous toys dept.
The response to today's much-anticipated unveiling of newly discovered OpenSSL vulnerabilities has been varied and loud as expected. However, the impact on the OpenBSD-initated LibreSSL project's code -- which has undergone extensive cleanup since LibreSSL forked off OpenSSL's code base in 2014 -- appears to be limited. Out of a total of 13 CVEs in OpenSSL's announcement, only five - CVE-2015-0207, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289 and CVE-2015-0209, still applied to LibreSSL's code.
The main takeaway from the announcement appears to be that the cleanup has been effective, however these 'crash-inducing' issues have now been fixed in LibreSSL:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0289 - PKCS7 NULL pointer dereferences
The OpenSSL project provided information and patches to the LibreSSL project in advance of the announcements.
More, including information about OpenBSD 5.7, 5.6 and 5.5, after the fold.
Commits to OpenBSD-current, are described in this message:
Changes by: tedu@cvs.openbsd.org 2015/03/19 08:00:22 Modified files: lib/libssl/src/crypto/asn1: a_int.c a_set.c a_type.c d2i_pr.c d2i_pu.c n_pkey.c tasn_dec.c x_x509.c lib/libssl/src/crypto/ec: ec_asn1.c lib/libssl/src/crypto/pkcs7: pk7_doit.c pk7_lib.c lib/libssl/src/ssl: d1_lib.c Log message: Fix several crash causing defects from OpenSSL. These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
Changes relevant to the OpenBSD 5.7 patch branch are described in this message
Changes by: tedu@cvs.openbsd.org 2015/03/19 08:01:16 Modified files: lib/libssl/src/crypto/asn1: Tag: OPENBSD_5_7 a_int.c a_set.c a_type.c d2i_pr.c d2i_pu.c n_pkey.c tasn_dec.c x_x509.c lib/libssl/src/crypto/ec: Tag: OPENBSD_5_7 ec_asn1.c lib/libssl/src/crypto/pkcs7: Tag: OPENBSD_5_7 pk7_doit.c pk7_lib.c lib/libssl/src/crypto/x509: Tag: OPENBSD_5_7 x509_req.c lib/libssl/src/ssl: Tag: OPENBSD_5_7 d1_lib.c Log message: Fix several crash causing defects from OpenSSL. These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
Changes relevant to the OpenBSD 5.6 patch branch are described in this message (with patch available)
Changes by: tedu@cvs.openbsd.org 2015/03/19 08:02:23 Modified files: lib/libssl/src/crypto/asn1: Tag: OPENBSD_5_6 a_int.c a_set.c a_type.c d2i_pr.c d2i_pu.c n_pkey.c tasn_dec.c x_x509.c lib/libssl/src/crypto/ec: Tag: OPENBSD_5_6 ec_asn1.c lib/libssl/src/crypto/pkcs7: Tag: OPENBSD_5_6 pk7_doit.c pk7_lib.c lib/libssl/src/crypto/x509: Tag: OPENBSD_5_6 x509_req.c lib/libssl/src/ssl: Tag: OPENBSD_5_6 d1_lib.c Log message: Fix several crash causing defects from OpenSSL. These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
And finally, changes relevant to the still supported OpenBSD 5.5 patch branch are described in this message, (with patch available)
Changes by: tedu@cvs.openbsd.org 2015/03/19 08:02:23 Modified files: lib/libssl/src/crypto/asn1: Tag: OPENBSD_5_6 a_int.c a_set.c a_type.c d2i_pr.c d2i_pu.c n_pkey.c tasn_dec.c x_x509.c lib/libssl/src/crypto/ec: Tag: OPENBSD_5_6 ec_asn1.c lib/libssl/src/crypto/pkcs7: Tag: OPENBSD_5_6 pk7_doit.c pk7_lib.c lib/libssl/src/crypto/x509: Tag: OPENBSD_5_6 x509_req.c lib/libssl/src/ssl: Tag: OPENBSD_5_6 d1_lib.c Log message: Fix several crash causing defects from OpenSSL. These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
You can either check out a fresh source tree via cvs from your local mirror or turn to each release's patches page to download the patches.
Patches for OpenBSD 5.5
Patches for OpenBSD 5.6
Patches for OpenBSD 5.7
(Comments are closed)
By Noryungi (noryungi) noryungi@yahoo.com on
The fact that many CVEs do not affect LibreSSL is proof enough that the ''take no prisoners'' approach is paying off.
My hats off to you, I'll make sure to include a donation with my CD order (like I always do).