openbsd-security-announce April 2009 archive
Main Archive Page > Month Archives  > openbsd-security-announce archives
openbsd-security-announce: OpenSSL CVE-2009-0590 and CVE-2009-07

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

From: Damien Miller <djm_at_nospam>
Date: Wed Apr 08 2009 - 02:53:23 GMT
To: security-announce@openbsd.org

A number of exploitable flaws in OpenSSL's ASN.1 handling code have been found. These errors permit denial-of-service (crashing) of applications that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789 and are described in more detail in OpenSSL's security advisory:

    http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL advisory "Incorrect Error Checking During CMS verification" does not affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD -current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and OPENBSD_4_3 patch branches.