From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 02:01:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E30510656C4 for ; Thu, 8 Jan 2009 02:01:26 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-fx0-f11.google.com (mail-fx0-f11.google.com [209.85.220.11]) by mx1.freebsd.org (Postfix) with ESMTP id 019858FC21 for ; Thu, 8 Jan 2009 02:01:25 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: by fxm4 with SMTP id 4so1605644fxm.19 for ; Wed, 07 Jan 2009 18:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=PNwjAx+2olO7mYiDKU711CCG7O/4nxbtUCq5qm+5r3M=; b=Eyli3M+exeUN74DSRJZPP//OO33XdUGGeIOOfCytnvr/Q6PMmn2dfkHbuKN6dNI8oy HIz8wn2AQNxHR9nyXaFNlCxG/yUHP/xI4yvyjGnpIu/g+z8c6H6e1yvT2p/XZ2DbcB6l gDhlPLdy1emJvZI0R3EQ/XfgZPYCe//AV39ow= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=DGdFqS2yylWnxH7wY6ZqH0dFxzMagNv5x6XZ0WnKFknbWJqTTLsvqwplDt7GlolTP/ 3LYlZfVRYDrdluD/oS+lrzTH+4K1/BBeqkmllOH8C++OW5aQblD1GXrLcrlvyQV2ZwoX epPdWTsDx+rEjW1ZKNhClK9zy1EmAVk1YLXvs= Received: by 10.181.20.6 with SMTP id x6mr9117680bki.167.1231378217623; Wed, 07 Jan 2009 17:30:17 -0800 (PST) Received: by 10.181.14.6 with HTTP; Wed, 7 Jan 2009 17:30:17 -0800 (PST) Message-ID: <28283d910901071730if218355pdde2752cccc79b44@mail.gmail.com> Date: Wed, 7 Jan 2009 20:30:17 -0500 From: "matt donovan" To: "Matthew Seaman" In-Reply-To: <49653163.4070904@infracaninophile.co.uk> MIME-Version: 1.0 References: <200901072137.n07LbHwD049781@freefall.freebsd.org> <49653163.4070904@infracaninophile.co.uk> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:02.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 02:01:27 -0000 On Wed, Jan 7, 2009 at 5:49 PM, Matthew Seaman < m.seaman@infracaninophile.co.uk> wrote: > FreeBSD Security Advisories wrote: > > I. Background >> >> FreeBSD includes software from the OpenSSL Project. The OpenSSL Project >> is >> a collaborative effort to develop a robust, commercial-grade, >> full-featured >> Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) >> and Transport Layer Security (TLS v1) protocols as well as a full-strength >> general purpose cryptography library. >> >> II. Problem Description >> >> The EVP_VerifyFinal() function from OpenSSL is used to determine if a >> digital signature is valid. The SSL layer in OpenSSL uses >> EVP_VerifyFinal(), which in several places checks the return value >> incorrectly and treats verification errors as a good signature. This >> is only a problem for DSA and ECDSA keys. >> >> III. Impact >> >> For applications using OpenSSL for SSL connections, an invalid SSL >> certificate may be interpreted as valid. This could for example be >> used by an attacker to perform a man-in-the-middle attack. >> >> Other applications which use the OpenSSL EVP API may similarly be >> affected. >> > > The oCert advisory at http://ocert.org/advisories/ocert-2008-016.html > lists BIND and NTP as affected packages. Don't the base system versions > of those apps also need patching? > > Cheers, > > Matthew > > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW I was told they don't but I believe they do since it's the code inside of ntp and bind don't check the return code correctly from what I can tell for the OpenSSL EVP API