Bug 48395 (CVE-2003-0960)

Summary: VUL-0: CVE-2003-0960: OpenCA: multiple flaws in OpenCA before version 0.9.1.4
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Uwe Gansert <ug>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0960: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2003-12-01 16:39:59 UTC 
Hallo. 
OpenCA update version 0.9.1.4 addresses several security related flaws. 
http://www.openca.org/news/CAN-2003-0960.txt 
 
Olaf Kirch did a quickcheck for our version: 
From: Olaf Kirch <okir@suse.de> 
To: security-team@suse.de 
Date: Fri, 28 Nov 2003 14:31:57 +0100 
Subject: Re: [security-team] [Full-Disclosure] [OpenCA Advisory] 
    Vulnerabilities in signature verification (fwd) 
Reply-To: security-team@suse.de 
 
On Fri, Nov 28, 2003 at 02:01:29PM +0100, Roman Drahtmueller wrote: 
> haben wir das schon auf einem Produkt? 
 
/work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-CRL 
/work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-REQ 
/work/SRC/old-versions/7.2/arch/sles-i386/perl-OpenCA-X509 
/work/SRC/old-versions/7.3/all/perl-OpenCA-CRL 
/work/SRC/old-versions/7.3/all/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/7.3/all/perl-OpenCA-REQ 
/work/SRC/old-versions/7.3/all/perl-OpenCA-X509 
/work/SRC/old-versions/8.0/all/perl-OpenCA-CRL 
/work/SRC/old-versions/8.0/all/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/8.0/all/perl-OpenCA-REQ 
/work/SRC/old-versions/8.0/all/perl-OpenCA-X509 
/work/SRC/old-versions/8.1/all/perl-OpenCA-CRL 
/work/SRC/old-versions/8.1/all/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/8.1/all/perl-OpenCA-REQ 
/work/SRC/old-versions/8.1/all/perl-OpenCA-X509 
/work/SRC/old-versions/8.2/all/perl-OpenCA-CRL 
/work/SRC/old-versions/8.2/all/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/8.2/all/perl-OpenCA-REQ 
/work/SRC/old-versions/8.2/all/perl-OpenCA-X509 
/work/SRC/old-versions/9.0/all/perl-OpenCA-CRL 
/work/SRC/old-versions/9.0/all/perl-OpenCA-OpenSSL 
/work/SRC/old-versions/9.0/all/perl-OpenCA-REQ 
/work/SRC/old-versions/9.0/all/perl-OpenCA-X509 
 
> Multiple flaws in OpenCA before version 0.9.1.4 could cause OpenCA to 
> use an incorrect certificate in the chain to determine the serial being 
> checked which could lead to certificates that are revoked or expired 
> being incorrectly accepted. 
Die Versionsangabe ist etwas verwirrend. Die perl-OpenCA-* Pakete haben 
alle unterschiedliche Versionsnummern. Das einzige Paket mit einer 
0.9er-Version ist OpenCA-OpenSSL, und das ist schon seit SuLI 8.1 
in einer Version 0.9.63a vorhanden, was IMHO deutlich groesser ist als 
0.9.1.4. 
 
Maintainer Uwe Gansert <ug@suse.de> 
 
Olaf 
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably 
okir@suse.de   |  experienced what can best be described as 
---------------+  ISO water torture. -- Peter Gutmann
Comment 1 Thomas Biege 2003-12-01 16:39:59 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2003-12-01 16:50:03 UTC 
Uwe, can you check which versions need patching please. 
 
I'll provide you with the patchinfo file ASAP.
Comment 3 Uwe Gansert 2003-12-01 17:08:54 UTC 
all we have are some low level perl modules from the whole OpenCA project. The
bug is in the highlevel API.
None of the files that are affected and patched by OpenCA Team is on our
distribution. We just use the low level modules to parse certificates.

I'll take a closer look but in the moment I dont expect any problems for us.
Comment 4 Uwe Gansert 2003-12-01 18:04:07 UTC 
there is nothing to do for us. None of the files patched by OpenCA team:

PKCS7.pm
crypto-utils.lib
verifySignature
viewSignature

is in one of our source tar.gz files. It's a bug in the web gui and the logic
they provide.
Comment 5 Thomas Biege 2003-12-01 18:21:37 UTC 
Ok, thank you!
Comment 6 Thomas Biege 2009-10-13 19:42:31 UTC 
CVE-2003-0960: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)