[Pkg-openssl-devel] Bug#675436: openssl: Buffer overflow vulnerability

[Henri Salo]

Package: openssl
Version: 0.9.8o-4squeeze13
Severity: important
Tags: security

Description from email: http://seclists.org/bugtraq/2012/May/155

A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is revealed within the signing of a certificate. When issuing a sample command ?openssl ca -config /path/to/cnf -in /path/to/csr -extensions v3_ca -out /path/to/crt? the user is prompted for the password of the signing certificate. This input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures.

Discoverer did report this to OpenSSL-people after I emailed to him. No reply yet. I haven't verified this. Please check if this is valid. Probably doesn't affect squeeze, but let's verify.

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssl depends on:
ii  libc6                  2.11.3-3          Embedded GNU C Library: Shared lib
ii  libssl0.9.8            0.9.8o-4squeeze13 SSL shared libraries
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates    20090814+nmu3squeeze1 Common CA certificates

-- no debconf information