-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2010-012 ================================= Topic: OpenSSL TLS extension parsing race condition. Version: NetBSD-current: source prior to November 18, 2010 NetBSD 5.0.*: affected NetBSD 5.0: affected NetBSD 5.1: affected NetBSD 4.0.*: not affected NetBSD 4.0: not affected pkgsrc: openssl package prior to 0.9.8p Severity: Denial of Service and potential arbitrary code execution Fixed: NetBSD-current: November 17, 2010 NetBSD-5-0 branch: November 19, 2010 NetBSD-5-1 branch: November 19, 2010 NetBSD-5 branch: November 19, 2010 pkgsrc 2010Q3: openssl-0.9.8p corrects this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. This flaw impacts neither the Apache HTTP server nor any daemon as shipped with NetBSD. This vulnerability has been assigned CVE-2010-3864. Technical Details ================= Multiple race conditions in ssl/t1_lib.c in OpenSSL, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. A binary that does not link both against libssl and a threading library like eg libpthread is unlikely to be affected. See http://www.openssl.org/news/secadv_20101116.txt for the vulnerability announcement from OpenSSL. Solutions and Workarounds ========================= - - Patch, recompile, and reinstall libssl. CVS branch file revision ------------- ---------------- -------- HEAD src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c 1.2 CVS branch file revision ------------- ---------------- -------- netbsd-5-1 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.12.1 netbsd-5-0 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.8.1 netbsd-5 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.4.1 The following instructions briefly summarize how to update and recompile libssl. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) FILES with the file names for that branch (from the above table) To update from CVS, re-build, and re-install libc and sftp: * NetBSD-current: # cd src # cvs update -d -P -A crypto/external/bsd/openssl/dist/ssl # cd lib/libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../crypto/external/bsd/openssl/lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*: # cd src # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl # cd lib/libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install For more information on building (oriented towards rebuilding the entire system, however) see: http://www.netbsd.org/guide/en/chap-build.html Thanks To ========= Thanks to Rob Hulswit for discovering the problem and Dr Stephen Henson for providing the fix. Revision History ================ 2010-11-29 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2010-012.txt,v 1.1 2010/11/28 14:23:19 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJM8mX5AAoJEAZJc6xMSnBu1ZQQAI8P8gztP5S0nct//GzE8YTE mwFB0kGqq7rIgv9iChIy6oqtziu2FG8NwYIOiQl0RkAIY3gM8aB+wpgAhgqdzzx+ 8oQ8DPqQn+tbJl64oPAMQ1Ce0tvnuOtmcKBb61ggjI8jfA5wzL5WY+hl+jVJiQ4H 8SqrrkcNbq2IDFJNFzgteq8UmMb610wiFdZqp7HSfEER36da/lXD8Y+nueoW68Ck NDAe8RxNqiglv71eMZ/7C+ZcZFSm/jooCC6GUK2ll10qx8uAVtiXxhaaT6//1JZX JU4dHLoETi+SRMkUqaxb4E63DsBTHnwMhD44tpDswnKsNyPv+NwefIDJbYzPTQFg CThH31PP/0DT1BbnmSao5+ghish9f4Rvk8uHt92JTlMLRWVjo9ApZnB6lxez/WK1 JIohxWytnKLtdvBh9iWT2cVAAQIbPSWrlQV9vpk7thEtZ6GVkc8h6WkwjhW3vEyS R3mn9BUak3EjiFWLwNuQWEY+ID4dtNJvEwv7S0wIUxz8wB9M0RvxXEhYH5M3vRUv ieL399QknRh3lkuu53MULj8SL24upjiLAV8pbdT9W4zX6Ci3bKLjc03stJt6x4IA 02jCmdAv5OniDLggF8FTuKLIEqZu+TkmVkOfzGglTFzHHCd+UIgzy1okvJrxN1wr zV7L32PZRfpiwu9rngFS =aB+B -----END PGP SIGNATURE-----