[Secure-testing-team] Bug#594415: CVE-2010-2939: Double free

Moritz Muehlenhoff jmm at debian.org
Wed Aug 25 20:03:50 UTC 2010

Package: openssl
Version: 0.9.8o-1
Severity: grave
Tags: security

Please see:

Solar Designer posted an analysis on oss-security:


> Georgi Guninski found a double free issue in openssl's client implementation:
> http://www.mail-archive.com/openssl-dev@openssl.org/msg28043.html
> The affected code also is in pre 1.0 versions but only 1.0 uses ECDH
> for ssl by default AFAICT.

I took a brief look at the code.  ECDH was introduced somewhere between
0.9.7 and 0.9.8.  0.9.7m doesn't have it (so it was never backported to
those stable releases), 0.9.8 does.  The double-free bug, or at least
the code being patched now, is already present in 0.9.8.

Here's the trivial patch:


which should work for 0.9.8+ (applies cleanly to 0.9.8, with an offset)
and is not needed for older versions.




-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-2         Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-1         SSL shared libraries
ii  zlib1g                  1: compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- no debconf information

More information about the Secure-testing-team mailing list