Bug 922501 (CVE-2015-0292) - VUL-1: CVE-2015-0292: openssl: Base64 decode
Summary: VUL-1: CVE-2015-0292: openssl: Base64 decode
Status: RESOLVED FIXED
Alias: CVE-2015-0292
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:61133 maint...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-16 11:00 UTC by Marcus Meissner
Modified: 2015-03-23 23:08 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for openssl 0.9.8 (887 bytes, patch)
2015-03-17 10:23 UTC, Vítězslav Čížek 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2015-03-16 23:02:03 UTC 
bugbot adjusting priority
Comment 2 Vítězslav Čížek 2015-03-17 10:23:18 UTC 
Created attachment 627156 [details]
patch for openssl 0.9.8
Comment 7 Marcus Meissner 2015-03-17 17:52:27 UTC 
This issue was fixed before 1.0.1h, so newer openssl releases are not affected.
Comment 9 Marcus Meissner 2015-03-18 14:08:27 UTC 
Reproducer (all in one line):

echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64

Before:
Segmentation fault.

After:
<No output.>
Comment 10 Marcus Meissner 2015-03-19 14:13:35 UTC 
http://openssl.org/news/secadv_20150319.txt

Base64 decode (CVE-2015-0292)
=============================

Severity: Moderate

A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.

The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.
Comment 11 Swamp Workflow Management 2015-03-19 20:05:52 UTC 
SUSE-SU-2015:0543-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 920236,922488,922496,922499,922500,922501
CVE References: CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP1 (src):    compat-openssl097g-0.9.7g-146.22.29.1
Comment 12 Swamp Workflow Management 2015-03-19 22:06:08 UTC 
SUSE-SU-2015:0545-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 915976,919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    openssl-0.9.8j-0.70.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    openssl-0.9.8j-0.70.1
Comment 13 Swamp Workflow Management 2015-03-19 22:07:27 UTC 
SUSE-SU-2015:0546-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise Security Module 11 SP3 (src):    openssl1-1.0.1g-0.26.1
Comment 14 Swamp Workflow Management 2015-03-19 22:08:28 UTC 
SUSE-SU-2015:0547-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 922488,922496,922499,922500,922501
CVE References: CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    compat-openssl097g-0.9.7g-146.22.29.1
SLES for SAP Applications (src):    compat-openssl097g-0.9.7g-146.22.29.1
Comment 15 Swamp Workflow Management 2015-03-19 22:09:26 UTC 
SUSE-SU-2015:0548-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    compat-openssl097g-0.9.7g-13.29.1
Comment 16 Swamp Workflow Management 2015-03-19 22:10:45 UTC 
SUSE-SU-2015:0549-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 919648,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    openssl-0.9.8a-18.90.1
Comment 17 Swamp Workflow Management 2015-03-20 11:06:13 UTC 
SUSE-SU-2015:0553-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 915976,919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    compat-openssl098-0.9.8j-73.2
Comment 18 Swamp Workflow Management 2015-03-20 12:06:14 UTC 
SUSE-SU-2015:0553-2: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 915976,919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Linux Enterprise Desktop 12 (src):    compat-openssl098-0.9.8j-73.2
Comment 19 Swamp Workflow Management 2015-03-20 22:06:00 UTC 
SUSE-SU-2015:0546-2: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SLE CLIENT TOOLS 10 for x86_64 (src):    openssl-0.9.8a-18.90.1
SLE CLIENT TOOLS 10 for s390x (src):    openssl-0.9.8a-18.90.1
SLE CLIENT TOOLS 10 (src):    openssl-0.9.8a-18.90.1
Comment 20 Swamp Workflow Management 2015-03-20 23:06:06 UTC 
SUSE-SU-2015:0545-2: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 915976,919648,920236,922488,922496,922499,922500,922501
CVE References: CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Sources used:
SUSE Studio Onsite 1.3 (src):    openssl-0.9.8j-0.70.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    openssl-0.9.8j-0.70.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    openssl-0.9.8j-0.70.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    openssl-0.9.8j-0.70.1
SUSE Linux Enterprise Server 11 SP3 (src):    openssl-0.9.8j-0.70.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    openssl-0.9.8j-0.70.1
Comment 21 Marcus Meissner 2015-03-22 12:42:57 UTC 
released
Comment 22 Swamp Workflow Management 2015-03-23 23:08:25 UTC 
SUSE-SU-2015:0578-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 802184,880891,890764,901223,901277,905106,912014,912015,912018,912293,912296,920236,922488,922496,922499,922500,922501
CVE References: 
Sources used:
SUSE Linux Enterprise for SAP Applications 11 SP2 (src):    compat-openssl097g-0.9.7g-146.22.29.1