Your message dated Wed, 07 Jan 2009 17:47:13 +0000
with message-id <[email protected]>
and subject line Bug#506111: fixed in openssl 0.9.8g-15
has caused the Debian Bug report #506111,
regarding openssl command line tool crashes if IPv6 addressis given as 
subjectAltName
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
506111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506111
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 0.9.8g-14
Severity: normal



The openssl command line tool sometimes segfaults when a IPv6 address is 
given as SubjectAltName in an X.509_v3 extension.

Steps to reproduce:

copy the attached files into the same directory and issue

openssl req -config ssl.conf -new -key privkey.pem -out newreq.pem


valgrind:

==19593== Process terminating with default action of signal 11 (SIGSEGV)
==19593==  Access not within mapped region at address 0x491BD0C
==19593==    at 0x4024A30: memcpy (mc_replace_strmem.c:402)
==19593==    by 0x415FFBA: ASN1_STRING_set (in 
/usr/lib/i686/cmov/libcrypto.so.0.9.8)
==19593==    by 0x414955A: ASN1_OCTET_STRING_set (in 
/usr/lib/i686/cmov/libcrypto.so.0.9.8)
==19593==    by 0x4177A05: a2i_IPADDRESS (in 
/usr/lib/i686/cmov/libcrypto.so.0.9.8)
==19593==    by 0x4178887: v2i_GENERAL_NAME_ex (in 
/usr/lib/i686/cmov/libcrypto.so.0.9.8)
==19593==    by 0x4178B7A: v2i_GENERAL_NAME (in 
/usr/lib/i686/cmov/libcrypto.so.0.9.8)


-- System Information:
Debian Release: lenny/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25-2-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages openssl depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

openssl recommends no packages.

-- no debconf information
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuWOV1YaPCfjSxRIg6nJGfI9NZWEu6YJXzXqa+05+4UH8vbD+
Zcz6RjjQ+QnV4xXYNr7kSoBqCBnIby9Ntd6kcUV7gwF3t8W9vyAkMI2W3W+hEyHn
b9VYnAHVCq7BTQNn74opvuxzvt6pjvE0OKh949tlQt/I5+tqCicc0N5TtXBH0G3L
TBgMtBiEcdSFEBiclkhZZk19/EAeGVthYwy3sX8oB5CXDJPXd8DyUCmcSlFuJieh
ei4mdJvr/oFnPDAQR51Dw5eqENjsmt4xs0jfWd5mciOtjFb0BZ6AEtY2pzTHT1Zg
2DnZUz4XI40TTBA0nWmIR8zYfHlJ7e4YKahQ7wIDAQABAoIBAEhcImORfcs6n6nk
BYz8xZ5goKjtYc4q3fKJ5Gwqm0N46hlwOBusAhPeoVJTEHTuVdIoeBrMPJak2aLs
J7zRBgZgRHFB5WSJfiJXfUimOzh7FbfOB/OSpl9eJ7VfuHtC1RKeLuUijZr2deAh
LWzf9yM0wzVy+4vqSx1jXs/3t1ydqJKiiU0eAWJsNfEZO/XjF3NQJ13+d4w3sSE/
payI/s6gB7lR42OVDB7Pw5hE1WVAx/DqGITEv56k2GOyWlknVpUD1b00OSDDR4yo
NnECIX55w7qmfL+icP4HOqgKl16ezRqZqKLM/jaxxgGKp4Ffvj+Ql6udynz1rKe3
0WAkeoECgYEA3dNQVP8fEZkwjSPsk6KwKe/NaHWbli8m7ll6KbdcBo8A+pCLoMKe
PuvOSJNnEO+PcA0iJGBabjpD2/9BJvBGDunesjTRtsXzfZaSWQPJlo+MEM8ipa2F
P0Sn+adnylUwJr1gd9Y4wqpBpkz7yfc/1q23e3wktT8gepPOChMekxECgYEA1fM8
fKtLD1tM69efMhYweILGu8wWh1bGBzA9YVdlzMzWbEzuLVty21H72J0XRh6b6S83
6erRUFpTBzmMkgFb5Z74oFvftQi4b3Uv1WQIU417Q7LVkBNZKmamdKcvf/avXQX7
zWvzYz45CoZrFg0LnfQHzfv//Di9325Blx2Qo/8CgYEA01G4qJA2J8y47Ow5Ntf4
XKsfEpFfe+5FdzD0aQNNfs4Cz7Cd47Mjj6uSY59Qw1iEW+mXCfJkk7eb59u+VHr3
MsPnK/uXgTgI4y5rErPB+lWbyHObfRvV4VTldLbe8GjBK1ajrOX+QqxxSBz0jQ2m
2ju5nMDCM4wEw+FEmmJmcRECgYBgP9PHVhwnZXB+bPtOQhM+M78J/y9nZU8jLr1+
TB4c+02/XQCNYSWTqxc8hLdSsTR8u+RQlHXjyy6tAmPNz1SzQUgihBJo0+p9IeAK
BL2GMRDyDMLs1Pd5DsL1mbzRuX18wNNdv6G31Oc+Z+hG/ElsnrrgHO01X6VznZte
S0ulqwKBgAaz5nlPeJkHHcbSzNW28s0VfTujFf5aFeS/8yfp3V64N2ooswTQkr6y
ZCwonGSsY4RhF1EoaK+UUhJI8kVnu62XXm5eKXFZUG2q/VM7ULLS4Bqsm3hPrhPH
H8D3MNEEIIs7R0m7Xtnw9Pm+WAcf5G4sc0YpvakHVCZNsiMLvd4A
-----END RSA PRIVATE KEY-----
RANDFILE        =$ENV::HOME/.rnd

[policy_match]
organizationName        = match

[req]
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca

[req_distinguished_name]
countryName             = US
countryName_value       = US
countryName_default     = US
commonName             = Common Name (eg, YOUR name)
commonName_value       = commonName
organizationName      = Organisation
organizationName_value= org

[v3_ca]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage                = digitalSignature, nonRepudiation, keyEncipherment, 
keyAgreement
subjectAltName          = IP:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA

--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8g-15

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8g-15_amd64.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15_amd64.udeb
libssl-dev_0.9.8g-15_amd64.deb
  to pool/main/o/openssl/libssl-dev_0.9.8g-15_amd64.deb
libssl0.9.8-dbg_0.9.8g-15_amd64.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15_amd64.deb
libssl0.9.8_0.9.8g-15_amd64.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8g-15_amd64.deb
openssl_0.9.8g-15.diff.gz
  to pool/main/o/openssl/openssl_0.9.8g-15.diff.gz
openssl_0.9.8g-15.dsc
  to pool/main/o/openssl/openssl_0.9.8g-15.dsc
openssl_0.9.8g-15_amd64.deb
  to pool/main/o/openssl/openssl_0.9.8g-15_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Jan 2009 21:14:31 +0100
Source: openssl
Binary: openssl libssl0.9.8 libcrypto0.9.8-udeb libssl-dev libssl0.9.8-dbg
Architecture: source amd64
Version: 0.9.8g-15
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 506111
Changes: 
 openssl (0.9.8g-15) unstable; urgency=low
 .
   * Internal calls to didn't properly check for errors which
     resulted in malformed DSA and ECDSA signatures being treated as
     a good signature rather than as an error.  (CVE-2008-5077)
   * ipv6_from_asc() could write 1 byte longer than the buffer in case
     the ipv6 address didn't have "::" part.  (Closes: #506111)
Checksums-Sha1: 
 c3ef840a20e0b95ac92254661b665a75345e9e8b 1304 openssl_0.9.8g-15.dsc
 b016487726cc8492246330fb65cc12776dc2e7bf 55845 openssl_0.9.8g-15.diff.gz
 15538a577937785d93effb62a0a5b8f3f1cf79d5 1042752 openssl_0.9.8g-15_amd64.deb
 affc6291a0165dd039bd92e64a5534bef8f7d7b0 975060 libssl0.9.8_0.9.8g-15_amd64.deb
 70247fac1c0a0f98c51678e28acc9be97b9172fa 638202 
libcrypto0.9.8-udeb_0.9.8g-15_amd64.udeb
 69ec131dee0dd5ca6fa25561eeeb37722c5a9968 2241290 libssl-dev_0.9.8g-15_amd64.deb
 800404494b6c340e60af2ed8fe3a590b7b3156f8 1627062 
libssl0.9.8-dbg_0.9.8g-15_amd64.deb
Checksums-Sha256: 
 2a4aef69d5209abd633e447373f1bf7784b5a7fe4ced9f25dffec97085d96161 1304 
openssl_0.9.8g-15.dsc
 d0272b51b314c3b6382d5ac3a84d24ce063b2a6b96b82afb24dc58a557268799 55845 
openssl_0.9.8g-15.diff.gz
 af416ceee065b762d6e61ce66968d49fecc46a7812587eddf15906e2f0ed5602 1042752 
openssl_0.9.8g-15_amd64.deb
 c75e8a76432a5a75a72756f83817935a051d9d564e4917f382260474a8193c13 975060 
libssl0.9.8_0.9.8g-15_amd64.deb
 cbab1a359871936214bbeaad8d42db98ece2565011d2bb7abf8f26f4c36897d2 638202 
libcrypto0.9.8-udeb_0.9.8g-15_amd64.udeb
 42b1451a0e51176eae900a2754c4237a21c43e9d0abfb1d291285ada8d6273d0 2241290 
libssl-dev_0.9.8g-15_amd64.deb
 acb42b85d967330c38f0b8d3de3f4c39b4519c6747b5cd7b8348e891dca8dfd1 1627062 
libssl0.9.8-dbg_0.9.8g-15_amd64.deb
Files: 
 2167c24293f978f55b7c64662d3db101 1304 utils optional openssl_0.9.8g-15.dsc
 4590df3b071599f5109d130cf4b037cc 55845 utils optional openssl_0.9.8g-15.diff.gz
 7c3399f25bc49433e011fe1d2c8aee54 1042752 utils optional 
openssl_0.9.8g-15_amd64.deb
 43330342a5b9e69d1bd318d15b072898 975060 libs important 
libssl0.9.8_0.9.8g-15_amd64.deb
 073afd841dfec30b049e74f695ff9743 638202 debian-installer optional 
libcrypto0.9.8-udeb_0.9.8g-15_amd64.udeb
 31fa10d4da7ff030d0a62835b8bb3c3f 2241290 libdevel optional 
libssl-dev_0.9.8g-15_amd64.deb
 af4416ceea1cf803036a95ef33a96873 1627062 libdevel extra 
libssl0.9.8-dbg_0.9.8g-15_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklibz8ACgkQQdwckHJElwvPnQCdFedQUmEFzMKiUPLSoxfzpBBU
L0AAoL+VPG0wgFFoEFNf4iAIZUzFSehe
=xW/A
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to