Moritz Muehlenhoff
2010-Aug-25 20:03 UTC
[Secure-testing-team] Bug#594415: CVE-2010-2939: Double free
Package: openssl Version: 0.9.8o-1 Severity: grave Tags: security Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939 Solar Designer posted an analysis on oss-security: ---> Georgi Guninski found a double free issue in openssl''s client implementation: > http://www.mail-archive.com/openssl-dev at openssl.org/msg28043.html > The affected code also is in pre 1.0 versions but only 1.0 uses ECDH > for ssl by default AFAICT.I took a brief look at the code. ECDH was introduced somewhere between 0.9.7 and 0.9.8. 0.9.7m doesn''t have it (so it was never backported to those stable releases), 0.9.8 does. The double-free bug, or at least the code being patched now, is already present in 0.9.8. Here''s the trivial patch: http://www.mail-archive.com/openssl-dev at openssl.org/msg28049.html which should work for 0.9.8+ (applies cleanly to 0.9.8, with an offset) and is not needed for older versions. Alexander --- Cheers, Moritz -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages openssl depends on: ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib ii libssl0.9.8 0.9.8o-1 SSL shared libraries ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20090814+nmu2 Common CA certificates -- no debconf information