login
Search
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1NetBSD Security Advisory 2009-012
=================================Topic: SHA2 implementation potential buffer overflow
Version: NetBSD-current: affected prior to 2009-05-26
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affectedSeverity: Denial of Service
Fixed: NetBSD-current: May 26, 2009
NetBSD-5-0 branch: Jul 11, 2009
NetBSD-5 branch: Jul 11, 2009
NetBSD-4-0 branch: Jul 22, 2009
NetBSD-4 branch: Jul 22, 2009Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.Abstract
========An error initializing a SHA2 context causes vulnerable applications using
libcrypto to suffer from a 4- or 8-byte buffer overflow (for SHA256 and
SHA512 correspondingly) with fixed content, potentially causing
applications to crash.Technical Details
=================A program using the SHA2 implementation from sys/sha2.h in NetBSD and
linking against libcrypto is vulnerable to a 4- or 8-byte buffer
overflow (for SHA256 and SHA512 correspondingly) with fixed content.The overflow occurs at the time the hash init function is called (e.g.
SHA256_Init). The init functions then pass the wrong size for the
context as an argument to the memset function which then overwrites
4 bytes of the memory buffer located after the one holding the context.In the NetBSD base system, this affects the libssh library as well as
the pkg_install framework. In libssh, the overflow occurs on the heap
of the program using it, in pkg_install a stack overflow occurs.Solutions and Workarounds
=========================A workaround for this issue for programs in the NetBSD base system
is to disable SHA256 as a HMAC for the secure shell and to avoid
using the audit facility as well as signed packages.To determine whether or not a package is signed, run the command
% tar tzf package.tgz
on the package. If the first file of the package is +PKG_HASH,
then the package is signed.The following instructions describe how to upgrade your libcrypto
and libc binaries by updating your source tree and rebuilding and
installing a new version of the three facilities.* NetBSD-current:
Systems running NetBSD-current dated from before 2009-05-26
should be upgraded to NetBSD-current dated 2009-05-27 or later.The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sysTo update from CVS, re-build, and re-install lorem:
# cd src
# cvs update -d -P common/lib/libc/hash/sha2
# cvs update -d -P distrib/sets/lists
# cvs update -d -P lib/libc
# cvs update -d -P lib/libcrypto
# cvs update -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install* NetBSD 5.*:
Systems running NetBSD 5.* sources dated from before
2009-07-11 should be upgraded from NetBSD 5.* sources dated
2009-07-12 or later.The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sysTo update from CVS, re-build, and re-install libc and libcrypto:
# cd src
# cvs update -r -d -P common/lib/libc/hash/sha2
# cvs update -r -d -P distrib/sets/lists
# cvs update -r -d -P lib/libc
# cvs update -r -d -P lib/libcrypto
# cvs update -r -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2009-07-22 should be upgraded from NetBSD 4.* sources dated
2009-07-23 or later.The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
common/lib/libc/hash/sha2
distrib/sets/lists
lib/libc
lib/libcrypto
sys/sysTo update from CVS, re-build, and re-install libc and libcrypto:
# cd src
# cvs update -r -d -P common/lib/libc/hash/sha2
# cvs update -r -d -P distrib/sets/lists
# cvs update -r -d -P lib/libc
# cvs update -r -d -P lib/libcrypto
# cvs update -r -d -P sys/sys
# cd sys/sys
# make USETOOLS=no cleandir
# make USETOOLS=no includes
# cd ../../lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no installThanks To
=========Joerg Sonnenberger for finding, reporting and fixing the issue.
Revision History
================2009-07-28 Initial release
More Information
================Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-012.t...Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.$NetBSD: NetBSD-SA2009-012.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)iQIcBAEBAgAGBQJKb0ijAAoJEAZJc6xMSnBuBEEP+wa1ybcKmHkq16evmfBdGIpM
9Z7fVSvx5fDHMvUDGKL5tST/CIoRU379yiBIj/VS0tlUV9TLo1TPdrLO9XON0ara
CaIP3DK766+hjya0PwuVuy8yVhUQ6Dz2rKTBjSpmz38qv8RfvR4G6iwF3W6YNvNu
pF3vjEJIbQdT6Fen3pzb4D9aiQ6SvEZdknGGR2HmebY2ig4un+bsIJc3x+Iv87Iw
qpuJ6KQSnfLxx5qFVO5Sax8SNdL3VmQQcFhVgO3tg/ddcFUVwngXS2Wg9ChczQWt
7wM7OVwXOL1Vr0s2NcRlsIppHXvKRQxu54CuEQM6gsPcleJhsBVFo9/AbeSw4SAx
rLiR/jQ6vsC9/28ZpKGQkrtnf5fxP2R7uQIN2nylCiB+s5UDmAHAYTt1tSTMt4ou
+xgCX0OnE9iB68FoJYq1YjHMc3n4GclJz3lijXsRBzgGaSHZJc3ywYtO6puS8yUI
mXKWPdGthCDVXWiKUOBZYcuS4dv7RoA+VhI3Q1P/kwFQ9xXqb9XWSQYmLycxleA8
BjjSEuIlw5tdAnufDJA8ZRXl4gP0qhrKfPtyYkLUj6pezcyPU1QD61yK0euMr3sq
lO97lYhYqtc2gMJaOgVYoHUqbsemuRNEOdHMBeqIoC8MYYH5La6Tuub26Dwz7eDV
Mxw6htX0zEm1S/1ld7ne
=GZuc
-----END PGP SIGNATURE-----
| Al Boldi | Re: [ck] Re: [ANNOUNCE] RSDL completely fair starvation free interactive cpu sched... |
| Ingo Molnar | Re: [patch] sched_clock(): cleanups |
| Greg KH | [GIT PATCH] driver core patches against 2.6.24 |
| Amit K. Arora | [RFC] Heads up on sys_fallocate() |
git: | |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| David Miller | [GIT]: Networking |
| Gerrit Renker | [PATCH 18/37] dccp: Support for Mandatory options |
| Denys Vlasenko | [PATCH 1/2] bnx2: factor out gzip unpacker |
