From owner-freebsd-security@FreeBSD.ORG  Sun Apr 13 08:09:44 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3B68A6F1
 for <freebsd-security@freebsd.org>; Sun, 13 Apr 2014 08:09:44 +0000 (UTC)
Received: from mx1.cksoft.de (mx1.cksoft.de [IPv6:2001:67c:24f8:1::25:1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "mx1.cksoft.de", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id E87491471
 for <freebsd-security@freebsd.org>; Sun, 13 Apr 2014 08:09:43 +0000 (UTC)
Received: from m.cksoft.de (unknown [IPv6:2003:41:c010:8001::143:1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.cksoft.de (Postfix) with ESMTP id 8EEEA2EBBFD
 for <freebsd-security@freebsd.org>; Sun, 13 Apr 2014 10:09:40 +0200 (CEST)
Received: from amavis.ahti.cksoft.de (unknown
 [IPv6:fdfe:5560:83f7:8001::143:2])
 by m.cksoft.de (Postfix) with ESMTP id 151EFED7FC
 for <freebsd-security@freebsd.org>; Sun, 13 Apr 2014 10:09:40 +0200 (CEST)
X-Virus-Scanned: amavisd-new at cksoft.de
Received: from m.cksoft.de ([IPv6:fdfe:5560:83f7:8001::143:1])
 by amavis.ahti.cksoft.de (amavis.ahti.cksoft.de [fdfe:5560:83f7:8001::143:2])
 (amavisd-new, port 10024)
 with ESMTP id Uc7DI+tMBqQl; Sun, 13 Apr 2014 10:09:37 +0200 (CEST)
Received: from pohjola.cksoft.de (unknown
 [IPv6:fdfe:5560:83f7:8001:d899:97e:8e91:f22d])
 by m.cksoft.de (Postfix) with ESMTP id E8B6BED7F7;
 Sun, 13 Apr 2014 10:09:36 +0200 (CEST)
Received: by pohjola.cksoft.de (Postfix, from userid 1000)
 id D9D03D7902; Sun, 13 Apr 2014 10:09:36 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by pohjola.cksoft.de (Postfix) with ESMTP id D7A3DD7891;
 Sun, 13 Apr 2014 10:09:36 +0200 (CEST)
Date: Sun, 13 Apr 2014 10:09:36 +0200 (CEST)
From: Christian Kratzer <ck-lists@cksoft.de>
X-X-Sender: ck@pohjola.cksoft.de
To: freebsd-security@freebsd.org
Subject: OpenSSL followup SSL_MODE_RELEASE_BUFFERS
Message-ID: <alpine.BSF.2.00.1404130957330.17735@pohjola.cksoft.de>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-Spammer-Kill-Ratio: 75%
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: Christian Kratzer <ck@cksoft.de>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Christian Kratzer <ck@cksoft.de>
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 08:09:44 -0000

Hi,

apparentyly openbsd has more or less silently fixed an older openssl issue that has been stuck in the openssl bug tracker:

The openbsd patch:

     http://www.openbsd.org/errata55.html#004_openssl

     http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig

The original issue:

     http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse

Here is the openssl bug:

     http://rt.openssl.org/Ticket/Display.html?id=2167

The patch;

     diff -u -p -u -r1.20 -r1.20.4.1
     --- lib/libssl/src/ssl/s3_pkt.c	27 Feb 2014 21:04:57 -0000	1.20
     +++ lib/libssl/src/ssl/s3_pkt.c	12 Apr 2014 17:01:14 -0000	1.20.4.1
     @@ -1054,7 +1054,7 @@ start:
 				    {
 				    s->rstate=SSL_ST_READ_HEADER;
 				    rr->off=0;
     -				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
     +				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
 					    ssl3_release_read_buffer(s);
 				    }
 			    }

Can somebody rattle openssl upstream to get them to comment on this ?

Should freebsd roll out a patch ?

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/