-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2009-012 ================================= Topic: SHA2 implementation potential buffer overflow Version: NetBSD-current: affected prior to 2009-05-26 NetBSD 5.0: affected NetBSD 4.0.*: affected NetBSD 4.0: affected Severity: Denial of Service Fixed: NetBSD-current: May 26, 2009 NetBSD-5-0 branch: Jul 11, 2009 NetBSD-5 branch: Jul 11, 2009 NetBSD-4-0 branch: Jul 22, 2009 NetBSD-4 branch: Jul 22, 2009 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An error initializing a SHA2 context causes vulnerable applications using libcrypto to suffer from a 4- or 8-byte buffer overflow (for SHA256 and SHA512 correspondingly) with fixed content, potentially causing applications to crash. Technical Details ================= A program using the SHA2 implementation from sys/sha2.h in NetBSD and linking against libcrypto is vulnerable to a 4- or 8-byte buffer overflow (for SHA256 and SHA512 correspondingly) with fixed content. The overflow occurs at the time the hash init function is called (e.g. SHA256_Init). The init functions then pass the wrong size for the context as an argument to the memset function which then overwrites 4 bytes of the memory buffer located after the one holding the context. In the NetBSD base system, this affects the libssh library as well as the pkg_install framework. In libssh, the overflow occurs on the heap of the program using it, in pkg_install a stack overflow occurs. Solutions and Workarounds ========================= A workaround for this issue for programs in the NetBSD base system is to disable SHA256 as a HMAC for the secure shell and to avoid using the audit facility as well as signed packages. To determine whether or not a package is signed, run the command % tar tzf package.tgz on the package. If the first file of the package is +PKG_HASH, then the package is signed. The following instructions describe how to upgrade your libcrypto and libc binaries by updating your source tree and rebuilding and installing a new version of the three facilities. * NetBSD-current: Systems running NetBSD-current dated from before 2009-05-26 should be upgraded to NetBSD-current dated 2009-05-27 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): common/lib/libc/hash/sha2 distrib/sets/lists lib/libc lib/libcrypto sys/sys To update from CVS, re-build, and re-install lorem: # cd src # cvs update -d -P common/lib/libc/hash/sha2 # cvs update -d -P distrib/sets/lists # cvs update -d -P lib/libc # cvs update -d -P lib/libcrypto # cvs update -d -P sys/sys # cd sys/sys # make USETOOLS=no cleandir # make USETOOLS=no includes # cd ../../lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.*: Systems running NetBSD 5.* sources dated from before 2009-07-11 should be upgraded from NetBSD 5.* sources dated 2009-07-12 or later. The following files/directories need to be updated from the netbsd-5 or netbsd-5-0 branches: common/lib/libc/hash/sha2 distrib/sets/lists lib/libc lib/libcrypto sys/sys To update from CVS, re-build, and re-install libc and libcrypto: # cd src # cvs update -r -d -P common/lib/libc/hash/sha2 # cvs update -r -d -P distrib/sets/lists # cvs update -r -d -P lib/libc # cvs update -r -d -P lib/libcrypto # cvs update -r -d -P sys/sys # cd sys/sys # make USETOOLS=no cleandir # make USETOOLS=no includes # cd ../../lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2009-07-22 should be upgraded from NetBSD 4.* sources dated 2009-07-23 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: common/lib/libc/hash/sha2 distrib/sets/lists lib/libc lib/libcrypto sys/sys To update from CVS, re-build, and re-install libc and libcrypto: # cd src # cvs update -r -d -P common/lib/libc/hash/sha2 # cvs update -r -d -P distrib/sets/lists # cvs update -r -d -P lib/libc # cvs update -r -d -P lib/libcrypto # cvs update -r -d -P sys/sys # cd sys/sys # make USETOOLS=no cleandir # make USETOOLS=no includes # cd ../../lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypt # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Joerg Sonnenberger for finding, reporting and fixing the issue. Revision History ================ 2009-07-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2009-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2009-012.txt,v 1.1 2009/07/28 18:29:29 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQIcBAEBAgAGBQJKb0ijAAoJEAZJc6xMSnBuBEEP+wa1ybcKmHkq16evmfBdGIpM 9Z7fVSvx5fDHMvUDGKL5tST/CIoRU379yiBIj/VS0tlUV9TLo1TPdrLO9XON0ara CaIP3DK766+hjya0PwuVuy8yVhUQ6Dz2rKTBjSpmz38qv8RfvR4G6iwF3W6YNvNu pF3vjEJIbQdT6Fen3pzb4D9aiQ6SvEZdknGGR2HmebY2ig4un+bsIJc3x+Iv87Iw qpuJ6KQSnfLxx5qFVO5Sax8SNdL3VmQQcFhVgO3tg/ddcFUVwngXS2Wg9ChczQWt 7wM7OVwXOL1Vr0s2NcRlsIppHXvKRQxu54CuEQM6gsPcleJhsBVFo9/AbeSw4SAx rLiR/jQ6vsC9/28ZpKGQkrtnf5fxP2R7uQIN2nylCiB+s5UDmAHAYTt1tSTMt4ou +xgCX0OnE9iB68FoJYq1YjHMc3n4GclJz3lijXsRBzgGaSHZJc3ywYtO6puS8yUI mXKWPdGthCDVXWiKUOBZYcuS4dv7RoA+VhI3Q1P/kwFQ9xXqb9XWSQYmLycxleA8 BjjSEuIlw5tdAnufDJA8ZRXl4gP0qhrKfPtyYkLUj6pezcyPU1QD61yK0euMr3sq lO97lYhYqtc2gMJaOgVYoHUqbsemuRNEOdHMBeqIoC8MYYH5La6Tuub26Dwz7eDV Mxw6htX0zEm1S/1ld7ne =GZuc -----END PGP SIGNATURE-----