Backported bugfix for CVE-2014-3571 causes regressions for DTLS in Ubuntu 14.04

Bug #1622500 reported by Martin Storsjö on 2016-09-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers

Bug Description

In OpenSSL 1.0.1f on Ubuntu 14.04, there's a regression in using DTLS, caused by a backported bugfix for CVE-2014-3571.

This particular bugfix (debian/patches/CVE-2014-3571-1.patch, corresponding to https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e, originally included upstream in OpenSSL 1.0.1k) caused a regression in using DTLS - see https://rt.openssl.org/Ticket/Display.html?id=3657.

This regression was fixed in OpenSSL 1.0.1m via this commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1895583

This left OpenSSL 1.0.1k and 1.0.1l with the regression, plus Ubuntu 14.04 which backported the first fix but not the later one.

In Debian, their patches for 1.0.1e contain both fixes:
https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch/
https://sources.debian.net/src/openssl/1.0.1e-2%2Bdeb7u20/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch/

Please backport the second fix to the version of 1.0.1f that you maintain for 14.04 LTS.

summary: Backported bugfix for CVE-2014-3571 causes regressions for DTLS in
+ Ubuntu 14.04
Changed in openssl (Ubuntu Precise):
status: New → Confirmed
Changed in openssl (Ubuntu Trusty):
status: New → Confirmed
Changed in openssl (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in openssl (Ubuntu):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.37

---------------
openssl (1.0.1-4ubuntu5.37) precise-security; urgency=medium

  * SECURITY UPDATE: Constant time flag not preserved in DSA signing
    - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
      crypto/dsa/dsa_ossl.c.
    - CVE-2016-2178
  * SECURITY UPDATE: DTLS buffered message DoS
    - debian/patches/CVE-2016-2179.patch: fix queue handling in
      ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
      ssl/ssl_locl.h.
    - CVE-2016-2179
  * SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
    - debian/patches/CVE-2016-2180.patch: fix text handling in
      crypto/ts/ts_lib.c.
    - CVE-2016-2180
  * SECURITY UPDATE: DTLS replay protection DoS
    - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
      records in ssl/d1_pkt.c.
    - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
      in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
    - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
    - CVE-2016-2181
  * SECURITY UPDATE: OOB write in BN_bn2dec()
    - debian/patches/CVE-2016-2182.patch: don't overflow buffer in
      crypto/bn/bn_print.c.
    - CVE-2016-2182
  * SECURITY UPDATE: SWEET32 Mitigation
    - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
      to MEDIUM in ssl/s3_lib.c.
    - CVE-2016-2183
  * SECURITY UPDATE: Malformed SHA512 ticket DoS
    - debian/patches/CVE-2016-6302.patch: sanity check ticket length in
      ssl/t1_lib.c.
    - CVE-2016-6302
  * SECURITY UPDATE: OOB write in MDC2_Update()
    - debian/patches/CVE-2016-6303.patch: avoid overflow in
      crypto/mdc2/mdc2dgst.c.
    - CVE-2016-6303
  * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
    - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
      handshake in ssl/t1_lib.c.
    - CVE-2016-6304
  * SECURITY UPDATE: Certificate message OOB reads
    - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
      ssl/s3_srvr.c.
    - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
      larger in ssl/d1_both.c, ssl/s3_both.c.
    - CVE-2016-6306
  * SECURITY REGRESSION: DTLS regression (LP: #1622500)
    - debian/patches/CVE-2014-3571-3.patch: make DTLS always act as if
      read_ahead is set in ssl/s3_pkt.c.
  * debian/patches/update-expired-smime-test-certs.patch: Update test
    certificates that have expired and caused build test failures.

 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 13:39:47 -0400

Changed in openssl (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1f-1ubuntu2.20

---------------
openssl (1.0.1f-1ubuntu2.20) trusty-security; urgency=medium

  * SECURITY UPDATE: Constant time flag not preserved in DSA signing
    - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
      crypto/dsa/dsa_ossl.c.
    - CVE-2016-2178
  * SECURITY UPDATE: DTLS buffered message DoS
    - debian/patches/CVE-2016-2179.patch: fix queue handling in
      ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
      ssl/ssl_locl.h.
    - CVE-2016-2179
  * SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
    - debian/patches/CVE-2016-2180.patch: fix text handling in
      crypto/ts/ts_lib.c.
    - CVE-2016-2180
  * SECURITY UPDATE: DTLS replay protection DoS
    - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
      records in ssl/d1_pkt.c.
    - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
      in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
    - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
    - CVE-2016-2181
  * SECURITY UPDATE: OOB write in BN_bn2dec()
    - debian/patches/CVE-2016-2182.patch: don't overflow buffer in
      crypto/bn/bn_print.c.
    - CVE-2016-2182
  * SECURITY UPDATE: SWEET32 Mitigation
    - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
      to MEDIUM in ssl/s3_lib.c.
    - CVE-2016-2183
  * SECURITY UPDATE: Malformed SHA512 ticket DoS
    - debian/patches/CVE-2016-6302.patch: sanity check ticket length in
      ssl/t1_lib.c.
    - CVE-2016-6302
  * SECURITY UPDATE: OOB write in MDC2_Update()
    - debian/patches/CVE-2016-6303.patch: avoid overflow in
      crypto/mdc2/mdc2dgst.c.
    - CVE-2016-6303
  * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
    - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
      handshake in ssl/t1_lib.c.
    - CVE-2016-6304
  * SECURITY UPDATE: Certificate message OOB reads
    - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
      ssl/s3_srvr.c.
    - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
      larger in ssl/d1_both.c, ssl/s3_both.c.
    - CVE-2016-6306
  * SECURITY REGRESSION: DTLS regression (LP: #1622500)
    - debian/patches/CVE-2014-3571-3.patch: make DTLS always act as if
      read_ahead is set in ssl/s3_pkt.c.
  * debian/patches/update-expired-smime-test-certs.patch: Update test
    certificates that have expired and caused build test failures.

 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 13:38:15 -0400

Changed in openssl (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers