Contributed by merdely on from the pointing-out-the-goo dept.
Patches are available for OpenBSD 4.2 (errata, patch), OpenBSD 4.1 (errata, patch) and OpenBSD 4.0 (errata, patch) which address an off-by-one overflow in the SSL_get_shared_ciphers() function in OpenSSL. This vulnerability affects all architectures.
Details below.
Edit: Commit information corrected.
moritz@'s commits (1.16 & 1.17) to -current:
CVSROOT: /cvs Module name: src Changes by: moritz@ 2007/10/10 13:39:19 Modified files: lib/libssl/src/ssl: ssl_lib.c Log message: Replace use of strcpy(3) and other pointer goo in SSL_get_shared_ciphers() with strlcat(3). ok deraadt@ markus@ ------------------- CVSROOT: /cvs Module name: src Changes by: moritz@ 2007/09/27 10:18:12 Modified files: lib/libssl/src/ssl: ssl_lib.c Log message: Fix off-by-one buffer overflow in SSL_get_shared_ciphers(). From OpenSSL_0_9_8-stable branch. ok djm@
(The updates to the -stable branches were made by henning@.)
(Comments are closed)
By Anonymous Coward (85.178.81.228) on
After people told me my researches and co are not detailed enough it's good to see that at least the developers where able to do the right thing :]
By dingo (192.85.50.2) af.dingo@gmail.com on
ssl apache? Likely not ssh? etc..
I'm sure some packages do, but i'm only curious with whats in base.
Comments
By Philip Guenther (64.58.1.252) on
> function can be called from?
The only code in the main OpenBSD tree that calls SSL_get_shared_ciphers() is the openssl(1) utility's s_client and s_server modes. However, that code passes the function a buffer of size BUFSIZ (== 1024) while the complete list of ciphers is only 666 bytes, so it's impossible to hit the overflow there.
The only other code that I've *ever* seen that calls that function is the perl Net::SSLeay module, which simply provides access to OpenSSL functions from perl. Maybe there's a perl script out there that uses that, but I haven't seen one.
The function itself is almost useless; the only reason I can think to call it would be if you were debugging the cipher selection algorithm in OpenSSL.
By HSpirit (116.240.230.130) damon.mcmahon@gmail.com on
# patch -p0 < 011_openssl.patch && cd lib/libssl && make obj && make depend && make
...
[everything fine until...]
...
In file included from /usr/src/lib/libssl/src/crypto/objects/obj_dat.c:68:
/usr/src/lib/libssl/crypto/obj/obj_dat.h:1137: error: `NID_sbqp_ipAddrBlock' undeclared here (not in a function)
...
[...then lots of errors until...]
...
/usr/src/lib/libssl/crypto/obj/obj_dat.h:1758: error: (near initialization for `nid_objs[667]')
*** Error code 1
Stop in /usr/src/lib/libssl/crypto.
*** Error code 1
Stop in /usr/src/lib/libssl.
Comments
By Anonymous Coward (85.8.2.145) on
>
same for me on 4.0, make fails
# make
===> crypto
cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c -o rsa_eay.o
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c: In function `RSA_eay_private_encrypt':
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:298: error: `OPENSSL_RSA_MAX_MODULUS_BITS' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:298: error: (Each undeclared identifier is reported only once
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:298: error: for each function it appears in.)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:300: error: `RSA_R_MODULUS_TOO_LARGE' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:311: error: `OPENSSL_RSA_SMALL_MODULUS_BITS' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:313: error: `OPENSSL_RSA_MAX_PUBEXP_BITS' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c: In function `RSA_eay_public_decrypt':
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:601: error: `OPENSSL_RSA_MAX_MODULUS_BITS' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:603: error: `RSA_R_MODULUS_TOO_LARGE' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:614: error: `OPENSSL_RSA_SMALL_MODULUS_BITS' undeclared (first use in this function)
/usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:616: error: `OPENSSL_RSA_MAX_PUBEXP_BITS' undeclared (first use in this function)
*** Error code 1
Stop in /usr/src/lib/libssl/crypto.
*** Error code 1
Stop in /usr/src/lib/libssl.
Comments
By smeg lister (141.150.242.184) on
> >
>
> same for me on 4.0, make fails
...
> /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:300: error: `RSA_R_MODULUS_TOO_LARGE' undeclared (first use in this function)
> /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:311: error: `OPENSSL_RSA_SMALL_MODULUS_BITS' undeclared (first use in this function)
> /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c:313: error: `OPENSSL_RSA_MAX_PUBEXP_BITS' undeclared (first use in this function)
> /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c: In function `RSA_eay_public_decrypt':
...
A possible cause is that the source tree you're trying to compile on is incomplete. You need to examine the .c files, look at what header (.h) files they're #include'ing and then grep for these "undeclared" elements in the header file locations. You can even try recursively grep'ing through all of /usr/include and /usr/src.
The undeclared elements should be in there somewhere. They explicitly pertain to OpenSSL and are not strange compiler errors or whatever. The preprocessor/compiler is simply not finding what it's looking for.
Or something like that. I only play a software developer on TV.
By LABarr (209.180.207.226) southpacificsoft@isomedia.com on www.sps-c.net
> >
>
> same for me on 4.0, make fails
>
>
I patched about a dozen machines tonight all running 4.0 w/o any problems. About a 70/30 split of i386 & sparc64's. The Sparcs took about a minute longer but didn't take any more than 5 minutes on any one machine. Good luck!
By Richard Toohey (203.167.190.49) richardtoohey@hotmail.com on
Only other difference - did the commands one-per-line.
Also patched a 4.2 box - no errors.
Comments
By HSpirit (116.240.235.221) damon.mcmahon@gmail.com on
>
> Only other difference - did the commands one-per-line.
>
> Also patched a 4.2 box - no errors.
>
Tried again, one command per line, that seemed to do the trick - no idea why (race condition? dunno...)