首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenSSL < 0.9.8l and previous versions Multiple Vulnerability
来源:vfocus.net 作者:Martin 发布时间:2010-03-10  
=============================================================
OpenSSL < 0.9.8l and previous versions Multiple Vulnerability
=============================================================

SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
Arrow  Credit : Bodo Moeller
Arrow  Published : 09.03.2010

Arrow  Affected Software : openssl:openssl:0.9.8l and previous versions
openssl:openssl:0.9.8k
openssl:openssl:0.9.8j
openssl:openssl:0.9.8i
openssl:openssl:0.9.8h
openssl:openssl:0.9.8g
openssl:openssl:0.9.8f
openssl:openssl:0.9.8e
openssl:openssl:0.9.8d
openssl:openssl:0.9.8c
openssl:openssl:0.9.8b
openssl:openssl:0.9.8a
openssl:openssl:0.9.8

OpenSSL CVS Repository
http://cvs.openssl.org/

___________________________________________________________________________
_

Server: cvs.openssl.org Name: Bodo Moeller
Root: /v/openssl/cvs Email: bodo@openssl.org
Module: openssl Date: 23-Feb-2010 11:36:41
Branch: OpenSSL_0_9_8-stable Handle: 2010022310363902

Modified files: (Branch: OpenSSL_0_9_8-stable)
openssl CHANGES
openssl/crypto/bn bn_div.c bn_gf2m.c
openssl/crypto/ec ec2_smpl.c
openssl/engines e_ubsec.c

Log:
Always check bn_wexpend() return values for failure (CVE-2009-3245).

(The CHANGES entry covers the change from PR #2111 as well, submitted
by
Martin Olsson.)

Submitted by: Neel Mehta

Summary:
Revision Changes Path
1.1238.2.189+3 -0 openssl/CHANGES
1.37.2.9 +1 -1 openssl/crypto/bn/bn_div.c
1.18.2.3 +2 -1 openssl/crypto/bn/bn_gf2m.c
1.14.2.2 +6 -4 openssl/crypto/ec/ec2_smpl.c
1.13.2.4 +2 -2 openssl/engines/e_ubsec.c

___________________________________________________________________________
_

patch -p0 <<'@@ .'
Index: openssl/CHANGES

===========================================================================
=
$ cvs diff -u -r1.1238.2.188 -r1.1238.2.189 CHANGES
--- openssl/CHANGES 19 Feb 2010 18:25:37 -0000 1.1238.2.188
+++ openssl/CHANGES 23 Feb 2010 10:36:39 -0000 1.1238.2.189
@@ -4,6 +4,9 @@

Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]

+ *) Always check bn_wexpend() return values for failure.
(CVE-2009-3245)
+ [Martin Olsson, Neel Mehta]
+
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to
accommodate for stack sorting, always a write lock!).
[Bodo Moeller]
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/bn/bn_div.c

===========================================================================
=
$ cvs diff -u -r1.37.2.8 -r1.37.2.9 bn_div.c
--- openssl/crypto/bn/bn_div.c 17 Jun 2009 11:26:39 -0000 1.37.2.8
+++ openssl/crypto/bn/bn_div.c 23 Feb 2010 10:36:41 -0000 1.37.2.9
@@ -102,7 +102,7 @@
/* The next 2 are needed so we can do a dv->d<A NAME="-0"></A>[0]|=1
later
* since BN_lshift1 will only work once there is a value :-) */
BN_zero(dv);
- bn_wexpand(dv,1);
+ if(bn_wexpand(dv,1) == NULL) goto end;
dv->top=1;

if (!BN_lshift(D,D,nm-nd)) goto end;
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/bn/bn_gf2m.c

===========================================================================
=
$ cvs diff -u -r1.18.2.2 -r1.18.2.3 bn_gf2m.c
--- openssl/crypto/bn/bn_gf2m.c 23 Jun 2008 20:46:28 -0000 1.18.2.2
+++ openssl/crypto/bn/bn_gf2m.c 23 Feb 2010 10:36:41 -0000 1.18.2.3
@@ -294,7 +294,8 @@
if (a->top < b->top) { at = b; bt = a; }
else { at = a; bt = b; }

- bn_wexpand(r, at->top);
+ if(bn_wexpand(r, at->top) == NULL)
+ return 0;

for (i = 0; i < bt->top; i++)
{
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/ec/ec2_smpl.c

===========================================================================
=
$ cvs diff -u -r1.14.2.1 -r1.14.2.2 ec2_smpl.c
--- openssl/crypto/ec/ec2_smpl.c 13 Mar 2006 23:12:07 -0000 1.14.2.1
+++ openssl/crypto/ec/ec2_smpl.c 23 Feb 2010 10:36:41 -0000 1.14.2.2
@@ -174,8 +174,10 @@
dest->poly<A NAME="-2"></A>[2] = src->poly[2];
dest->poly<A NAME="-3"></A>[3] = src->poly[3];
dest->poly<A NAME="-4"></A>[4] = src->poly[4];
- bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
- bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+ if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2)
== NULL)
+ return 0;
+ if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2)
== NULL)
+ return 0;
for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
return 1;
@@ -199,12 +201,12 @@

/* group->a */
if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
- bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2);
+ if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2) == NULL) goto err;
for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;

/* group->b */
if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
- bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2);
+ if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2) == NULL) goto err;
for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;

ret = 1;
@@ .
patch -p0 <<'@@ .'
Index: openssl/engines/e_ubsec.c

===========================================================================
=
$ cvs diff -u -r1.13.2.3 -r1.13.2.4 e_ubsec.c
--- openssl/engines/e_ubsec.c 6 Sep 2007 12:43:53 -0000 1.13.2.3
+++ openssl/engines/e_ubsec.c 23 Feb 2010 10:36:41 -0000 1.13.2.4
@@ -934,7 +934,7 @@
priv_key = BN_new();
if (priv_key == NULL) goto err;
priv_key_len = BN_num_bits(dh->p);
- bn_wexpand(priv_key, dh->p->top);
+ if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
do
if (!BN_rand_range(priv_key, dh->p)) goto err;
while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@
{
pub_key = BN_new();
pub_key_len = BN_num_bits(dh->p);
- bn_wexpand(pub_key, dh->p->top);
+ if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
if(pub_key == NULL) goto err;
}
else
@@ .

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·JITed exec notepad Shellcode
·This Metasploit module will ex
·BigForum version 4.5 remote SQ
·Orbital Viewer ORB File Parsin
·QuickZip 4.x (.zip) Buffer Ove
·Easy FTP Server v1.7.0.2 CWD R
·QuickZip 4.x (.zip) 0day Local
·JAD java decompiler 1.5.8g (ar
·FreeBSD and OpenBSD 'ftpd' NUL
·JAD java decompiler 1.5.8g (.c
·Linux Kernel 64bit Personality
·Netscape Navigator - Namoroka
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved