Bug 890764 (CVE-2014-3508) - VUL-1: CVE-2014-3508: openssl: Information leak in pretty printing functions
Summary: VUL-1: CVE-2014-3508: openssl: Information leak in pretty printing functions
Status: RESOLVED FIXED
Alias: CVE-2014-3508
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Deadline: 2014-09-11
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:58559 wasL3:...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2014-08-07 07:21 UTC by Alexander Bergmann
Modified: 2015-03-23 23:05 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2014-3508 fix for the 0.9.8 branch. (3.53 KB, patch)
2014-08-07 13:18 UTC, Alexander Bergmann 		Details | Diff
CVE-2014-3508 fix for the 1.0.1 branch. (3.69 KB, patch)
2014-08-07 13:18 UTC, Alexander Bergmann 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-08-07 07:21:58 UTC 
This CVE was part of the OpenSSL Security Advisory [6 Aug 2014] (bnc#Bug 890759).

Information leak in pretty printing functions (CVE-2014-3508)
=============================================================

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

OpenSSL 0.9.8 users should upgrade to 0.9.8zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

Thanks to Ivan Fratric (Google) for discovering this issue. This issue
was reported to OpenSSL on 19th June 2014.

The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL
development team.
Comment 1 Alexander Bergmann 2014-08-07 13:18:23 UTC 
Created attachment 601520 [details]
CVE-2014-3508 fix for the 0.9.8 branch.
Comment 2 Alexander Bergmann 2014-08-07 13:18:51 UTC 
Created attachment 601522 [details]
CVE-2014-3508 fix for the 1.0.1 branch.
Comment 3 Swamp Workflow Management 2014-08-07 22:00:23 UTC 
bugbot adjusting priority
Comment 4 SMASH SMASH 2014-08-08 09:02:15 UTC 
Affected packages:

SLE-10-SP3-TERADATA: openssl
SLE-11-SP1: openssl
SLE-11-SP3: openssl, openssl1
Comment 5 Swamp Workflow Management 2014-08-08 14:37:30 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-08-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58532
Comment 10 Swamp Workflow Management 2014-08-18 22:04:37 UTC 
SUSE-SU-2014:1033-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 889812,890764,890767,890768,890769,890770
CVE References: CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-5139
Sources used:
SUSE Linux Enterprise Security Module 11 SP3 (src):    openssl1-1.0.1g-0.20.1
Comment 14 Bogdano Arendartchuk 2014-08-19 19:45:22 UTC 
This is the PTF including the fixes for CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508 and CVE-2014-3510. The rest of the requested CVEs are not valid for the OpenSSL version used in SLES11-SP2.

https://ptf.suse.com/e02e74496b32f3d99911eb93f050c62a/sles11-sp2/7256/x86_64/20140819
Comment 15 Swamp Workflow Management 2014-08-20 23:04:29 UTC 
SUSE-SU-2014:1049-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 890764,890767,890768,890769,890770
CVE References: CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openssl-0.9.8j-0.62.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openssl-0.9.8j-0.62.1
SUSE Linux Enterprise Server 11 SP3 (src):    openssl-0.9.8j-0.62.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openssl-0.9.8j-0.62.1
Comment 16 Swamp Workflow Management 2014-08-21 14:04:41 UTC 
openSUSE-SU-2014:1052-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 890764,890765,890766,890767,890768,890769,890770,890771,890772
CVE References: CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-5139
Sources used:
openSUSE 13.1 (src):    openssl-1.0.1i-11.52.1
openSUSE 12.3 (src):    openssl-1.0.1i-1.64.1
Comment 19 Swamp Workflow Management 2014-08-28 12:20:22 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58762
Comment 29 Swamp Workflow Management 2014-09-09 23:06:04 UTC 
SUSE-SU-2014:1104-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 890764,890767,890768,890769,890770
CVE References: CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    openssl-0.9.8j-0.62.3
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    openssl-0.9.8j-0.62.3
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.84.5
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    openssl-0.9.8a-18.45.79.3
Comment 30 Swamp Workflow Management 2014-09-23 23:05:30 UTC 
SUSE-SU-2014:1208-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 859228,859924,860332,862181,870192,890764,890767,890768,890769,890770
CVE References: CVE-2014-0076,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.62.3
SUSE Manager 1.7 for SLE 11 SP2 (src):    openssl-0.9.8j-0.62.3
Comment 31 Vítězslav Čížek 2014-10-09 12:37:43 UTC 
Reassigning to security-team.
Comment 35 Swamp Workflow Management 2014-12-04 19:05:13 UTC 
SUSE-SU-2014:1557-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP1 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 36 Swamp Workflow Management 2014-12-04 23:05:14 UTC 
SUSE-SU-2014:1557-2: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 802184,880891,890764,901223,901277,905106
CVE References: CVE-2013-0166,CVE-2013-0169,CVE-2014-0224,CVE-2014-3470,CVE-2014-3508,CVE-2014-3566,CVE-2014-3568
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    compat-openssl097g-0.9.7g-146.22.25.1
Comment 37 Marcus Meissner 2014-12-12 13:21:40 UTC 
released
Comment 38 Swamp Workflow Management 2015-03-23 23:05:50 UTC 
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP2 (src):    compat-openssl097g-0.9.7g-146.22.29.1