[Secure-testing-team] Bug#594415: CVE-2010-2939: Double free
Moritz Muehlenhoff
jmm at debian.org
Wed Aug 25 20:03:50 UTC 2010
Package: openssl
Version: 0.9.8o-1
Severity: grave
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
Solar Designer posted an analysis on oss-security:
---
> Georgi Guninski found a double free issue in openssl's client implementation:
> http://www.mail-archive.com/openssl-dev@openssl.org/msg28043.html
> The affected code also is in pre 1.0 versions but only 1.0 uses ECDH
> for ssl by default AFAICT.
I took a brief look at the code. ECDH was introduced somewhere between
0.9.7 and 0.9.8. 0.9.7m doesn't have it (so it was never backported to
those stable releases), 0.9.8 does. The double-free bug, or at least
the code being patched now, is already present in 0.9.8.
Here's the trivial patch:
http://www.mail-archive.com/openssl-dev@openssl.org/msg28049.html
which should work for 0.9.8+ (applies cleanly to 0.9.8, with an offset)
and is not needed for older versions.
Alexander
---
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20090814+nmu2 Common CA certificates
-- no debconf information
More information about the Secure-testing-team
mailing list