From owner-freebsd-security@FreeBSD.ORG Sun Apr 13 08:09:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B68A6F1 for ; Sun, 13 Apr 2014 08:09:44 +0000 (UTC) Received: from mx1.cksoft.de (mx1.cksoft.de [IPv6:2001:67c:24f8:1::25:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx1.cksoft.de", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E87491471 for ; Sun, 13 Apr 2014 08:09:43 +0000 (UTC) Received: from m.cksoft.de (unknown [IPv6:2003:41:c010:8001::143:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.cksoft.de (Postfix) with ESMTP id 8EEEA2EBBFD for ; Sun, 13 Apr 2014 10:09:40 +0200 (CEST) Received: from amavis.ahti.cksoft.de (unknown [IPv6:fdfe:5560:83f7:8001::143:2]) by m.cksoft.de (Postfix) with ESMTP id 151EFED7FC for ; Sun, 13 Apr 2014 10:09:40 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from m.cksoft.de ([IPv6:fdfe:5560:83f7:8001::143:1]) by amavis.ahti.cksoft.de (amavis.ahti.cksoft.de [fdfe:5560:83f7:8001::143:2]) (amavisd-new, port 10024) with ESMTP id Uc7DI+tMBqQl; Sun, 13 Apr 2014 10:09:37 +0200 (CEST) Received: from pohjola.cksoft.de (unknown [IPv6:fdfe:5560:83f7:8001:d899:97e:8e91:f22d]) by m.cksoft.de (Postfix) with ESMTP id E8B6BED7F7; Sun, 13 Apr 2014 10:09:36 +0200 (CEST) Received: by pohjola.cksoft.de (Postfix, from userid 1000) id D9D03D7902; Sun, 13 Apr 2014 10:09:36 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pohjola.cksoft.de (Postfix) with ESMTP id D7A3DD7891; Sun, 13 Apr 2014 10:09:36 +0200 (CEST) Date: Sun, 13 Apr 2014 10:09:36 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@pohjola.cksoft.de To: freebsd-security@freebsd.org Subject: OpenSSL followup SSL_MODE_RELEASE_BUFFERS Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: Christian Kratzer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Christian Kratzer List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 08:09:44 -0000 Hi, apparentyly openbsd has more or less silently fixed an older openssl issue that has been stuck in the openssl bug tracker: The openbsd patch: http://www.openbsd.org/errata55.html#004_openssl http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig The original issue: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse Here is the openssl bug: http://rt.openssl.org/Ticket/Display.html?id=2167 The patch; diff -u -p -u -r1.20 -r1.20.4.1 --- lib/libssl/src/ssl/s3_pkt.c 27 Feb 2014 21:04:57 -0000 1.20 +++ lib/libssl/src/ssl/s3_pkt.c 12 Apr 2014 17:01:14 -0000 1.20.4.1 @@ -1054,7 +1054,7 @@ start: { s->rstate=SSL_ST_READ_HEADER; rr->off=0; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) ssl3_release_read_buffer(s); } } Can somebody rattle openssl upstream to get them to comment on this ? Should freebsd roll out a patch ? Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/