First Last Prev Next    This bug is not in your last search results.
Bug 950707 - (CVE-2015-5333) VUL-0: CVE-2015-5333: libressl: Memory Leak
(CVE-2015-5333)
VUL-0: CVE-2015-5333: libressl: Memory Leak
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/157834/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-16 08:23 UTC by Andreas Stieger
Modified: 2016-05-18 12:08 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-16 08:23:35 UTC 
From http://seclists.org/oss-sec/2015/q4/87

[...]
Memory Leak (CVE-2015-5333)
[...]
In order to achieve remote code execution against the vulnerabilities
that we recently discovered in OpenSMTPD (CVE-2015-7687), a memory leak
is needed. Because we could not find one in OpenSMTPD itself, we started
to review the malloc()s and free()s of its libraries, and eventually
found a memory leak in LibreSSL's OBJ_obj2txt() function; we then
realized that this function also contains a buffer overflow (an
off-by-one, usually stack-based).

The vulnerable function OBJ_obj2txt() is reachable through
X509_NAME_oneline() and d2i_X509(), which is called automatically to
decode the X.509 certificates exchanged during an SSL handshake (both
client-side, unless an anonymous mode is used, and server-side, if
client authentication is requested).

These vulnerabilities affect all LibreSSL versions, including LibreSSL
2.0.0 (the first public release) and LibreSSL 2.3.0 (the latest release
at the time of writing). OpenSSL is not affected.


========================================================================
Memory Leak (CVE-2015-5333)
========================================================================

OBJ_obj2txt() converts an ASN.1 object identifier (the ASN1_OBJECT a)
into a null-terminated string of numerical subidentifiers separated by
dots (at most buf_len bytes are written to buf).

Large subidentifiers are temporarily stored in a BIGNUM (bl) and
converted by BN_bn2dec() into a printable string of decimal characters
(bndec). Many such bndec strings can be malloc()ated and memory-leaked
in a loop, because only the last one will be free()d, after the end of
the loop:

489 int
490 OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
491 {
...
494         char *bndec = NULL;
...
516         len = a->length;
...
519         while (len > 0) {
...
570                         bndec = BN_bn2dec(bl);
571                         if (!bndec)
572                                 goto err;
573                         i = snprintf(buf, buf_len, ".%s", bndec);
...
598         }
...
601         free(bndec);
...
609 }

This memory leak allows remote attackers to cause a denial of service
(memory exhaustion) or trigger the buffer overflow described below.
[...]


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5333
http://seclists.org/oss-sec/2015/q4/87
Comment 1 Andreas Stieger 2015-10-16 08:30:52 UTC 
OpenBSD Errata for LibreSSL 2.2.4, 2.1.8, 2.0.6 (Oct 15, 2015) for both boo#950708 and boO#950708
http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig
Comment 2 Bernhard Wiedemann 2015-10-16 09:00:38 UTC 
This is an autogenerated message for OBS integration:
This bug (950707) was mentioned in
https://build.opensuse.org/request/show/339220 13.2 / libressl
Comment 3 Andreas Stieger 2015-10-16 09:28:10 UTC 
(In reply to comment #2)
> https://build.opensuse.org/request/show/339220 13.2 / libressl

Unfortunately, libressl is 2.3.0 affected by both bug 950707 and 950708.

comment #1 references a patch that you could apply to the 2.2.1 version, possibly going for 2.2.4 + this patch for openSUSE 13.2.
Comment 4 Bernhard Wiedemann 2015-10-16 18:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (950707) was mentioned in
https://build.opensuse.org/request/show/339322 Factory / libressl
Comment 5 Bernhard Wiedemann 2015-10-16 20:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (950707) was mentioned in
https://build.opensuse.org/request/show/339338 13.2+Leap:42.1 / libressl.openSUSE_Leap_42.1+libressl
Comment 6 Swamp Workflow Management 2015-10-16 22:00:59 UTC 
bugbot adjusting priority
Comment 7 Andreas Stieger 2015-10-19 09:03:20 UTC 
Update running, thanks.
Comment 8 Swamp Workflow Management 2015-10-27 12:09:45 UTC 
openSUSE-SU-2015:1830-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 950707,950708
CVE References: CVE-2015-5333,CVE-2015-5334
Sources used:
openSUSE 13.2 (src):    libressl-2.2.1-2.6.1
Comment 9 Andreas Stieger 2015-10-27 12:32:00 UTC 
All done.
Comment 10 Swamp Workflow Management 2015-10-29 16:52:25 UTC 
openSUSE-SU-2015:1830-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 950707,950708
CVE References: CVE-2015-5333,CVE-2015-5334
Sources used:
openSUSE  (src):    libressl-2.3.0-3.1
Comment 11 Swamp Workflow Management 2016-05-18 12:08:46 UTC 
openSUSE-SU-2016:1327-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 950707,950708,957812,957815,977584,978492
CVE References: CVE-2015-3194,CVE-2015-3195,CVE-2015-5333,CVE-2015-5334
Sources used:
openSUSE 13.2 (src):    libressl-2.2.7-2.13.1
First Last Prev Next    This bug is not in your last search results.