Debian GNU/Linux Advisory: openssl095

Debian Security Advisory DSA 394-1	[email protected]
http://www.debian.org/security/	Martin Schulze
October 11th, 2003	http://www.debian.org/security/faq

Package	:	openssl095
Vulnerability	:	ASN.1 parsing vulnerability
Problem-Type	:	remote
Debian-specific	:	no
CVE references	:	CAN-2003-0543 CAN-2003-0544 CAN-2003-0545

Steve Henson of the OpenSSL core team identified and prepared
fixes for a number of vulnerabilities in the OpenSSL ASN1 code that
were discovered after running a test suite by British National
Infrastructure Security Coordination Centre (NISCC).

A bug in OpenSSLs SSL/TLS protocol was also identified which
causes OpenSSL to parse a client certificate from an SSL/TLS client
when it should reject it as a protocol error.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CAN-2003-0543:

Integer overflow in OpenSSL that allows remote attackers to
cause a denial of service (crash) via an SSL client certificate
with certain ASN.1 tag values.

CAN-2003-0544:

OpenSSL does not properly track the number of characters in
certain ASN.1 inputs, which allows remote attackers to cause a
denial of service (crash) via an SSL client certificate that causes
OpenSSL to read past the end of a buffer when the long form is
used.

CAN-2003-0545:

Double-free vulnerability allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via
an SSL client certificate with a certain invalid ASN.1 encoding.
This bug was only present in OpenSSL 0.9.7 and is listed here only
for reference.

For the stable distribution (woody) this problem has been fixed
in openssl095 version 0.9.5a-6.woody.3.

This package is not present in the unstable (sid) or testing
(sarge) distribution.

We recommend that you upgrade your libssl095a packages and
restart services using this library. Debian doesn’t ship any
packages that are linked against this library.

The following commandline (courtesy of Ray Dassen) produces a
list of names of running processes that have libssl095 mapped into
their memory space:

find /proc -name maps -exec egrep -l ‘libssl095’ {} /dev/null ;
| sed -e ‘s/[^0-9]//g’ | xargs –no-run-if-empty ps –no-headers -p
| sed -e ‘s/^+//’ -e ‘s/ +/ /g’ | cut -d ‘ ‘ -f 5 | sort | uniq

You should restart the associated services.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives: