Issue metadata
Sign in to add a comment
|
Security: OpenSSL CCS Vulnerability |
||||||||||||||||||||
Issue descriptionExposure in Chrome OS is low since OpenSSL is only used in update-engine to talk to Google servers. http://www.openssl.org/news/secadv_20140605.txt SSL/TLS MITM vulnerability (CVE-2014-0224) =========================================== An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSL on 1st May 2014 via JPCERT/CC. The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi.
,
Jun 5 2014
a cryptohome unittest fails w/new openssl, so i have to figure out why ...
,
Jun 5 2014
after failing at life and debugging the wrong func, here's a reduced testcase taken from cryptohome's unittests -- the Base64Decode func is unmodified (other than the std::cout). you can debug in the sdk, so don't need a target board to reproduce. $ g++ test.cc `pkg-config --libs --cflags openssl` $ ./a.out with openssl-1.0.1g you get: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA with 1.0.1h you get: Base64Decode failed: input: QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE= size: 44 output size: 0 the delta between the versions isn't that big, so i'll try backing out the hunks to narrow things down. unless of course, cmasone@ thinks the existing Decode func is broken and that'll save some time :).
,
Jun 5 2014
Thanks Mike! I'll give it a shot too.
,
Jun 5 2014
ok, it looks like the openssl bio funcs really want a trailing new line in their input and if you don't provide it, it just returns 0. wheee.
,
Jun 5 2014
https://chromium-review.googlesource.com/202701 fixes the unittest problems. we can debate the future of this code in a diff bug as we really want openssl out.
,
Jun 6 2014
,
Jun 6 2014
approved for 36.
,
Jun 6 2014
,
Jun 6 2014
Project: chromiumos/platform/cryptohome Branch : master Author : Mike Frysinger <vapier@chromium.org> Commit : 5e9c1786eee13c4bde95b893bbb007afe785540a Code-Review 0 : Mike Frysinger, chrome-internal-fetch Code-Review +2: Jorge Lucangeli Obes, Kees Cook Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch Commit-Queue +1: Mike Frysinger Verified 0 : Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : Idf28fefcdc912926fd988f582baaf5c00c54b424 Reviewed-at : https://chromium-review.googlesource.com/202701 add newlines to base64 content OpenSSL wants a newline in the base64 content to decode it, so add ones to make it happy. BUG= chromium:381200 TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h homedirs_unittest.cc
,
Jun 6 2014
Project: chromiumos/overlays/chromiumos-overlay Branch : master Author : Mike Frysinger <vapier@chromium.org> Commit : 0e0e9e8fd4ac42ccf16ace3b004758ca2b85112d Code-Review 0 : Mike Frysinger, Will Drewry, chrome-internal-fetch Code-Review +2: Jorge Lucangeli Obes, Kees Cook Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch Commit-Queue +1: Mike Frysinger Verified 0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : Iaadf35daf88056a6d26bd799b023e7f777019f8c Reviewed-at : https://chromium-review.googlesource.com/202672 openssl: version bump BUG= chromium:381200 TEST=`emerge openssl` works TEST=`FEATURES=test emerge-x86-alex openssl` works TEST=`cbuildbot chromiumos-sdk` passes TEST=`cbuildbot {x86-alex,lumpy}-release` passes CQ-DEPEND=CL:202701 dev-libs/openssl/Manifest dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch dev-libs/openssl/files/openssl-1.0.0d-windres.patch dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch dev-libs/openssl/metadata.xml dev-libs/openssl/openssl-1.0.1h.ebuild
,
Jun 6 2014
Project: chromiumos/overlays/chromiumos-overlay Branch : release-R36-5841.B Author : Mike Frysinger <vapier@chromium.org> Commit : 582ed2bf5348a1d824dfd2c50bc69ac0811b370c Code-Review 0 : Mike Frysinger Code-Review +2: Jorge Lucangeli Obes, Will Drewry Verified 0 : Jorge Lucangeli Obes, Will Drewry Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : Iaadf35daf88056a6d26bd799b023e7f777019f8c Reviewed-at : https://chromium-review.googlesource.com/202673 openssl: version bump BUG= chromium:381200 TEST=`emerge openssl` works TEST=`FEATURES=test emerge-x86-alex openssl` works TEST=`cbuildbot chromiumos-sdk` passes TEST=`cbuildbot {x86-alex,lumpy}-release` passes CQ-DEPEND=CL:202701 Previous-Reviewed-on: https://chromium-review.googlesource.com/202672 (cherry picked from commit 0e0e9e8fd4ac42ccf16ace3b004758ca2b85112d) dev-libs/openssl/Manifest dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch dev-libs/openssl/files/openssl-1.0.0d-windres.patch dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch dev-libs/openssl/metadata.xml dev-libs/openssl/openssl-1.0.1h.ebuild
,
Jun 6 2014
Project: chromiumos/platform/cryptohome Branch : release-R36-5841.B Author : Mike Frysinger <vapier@chromium.org> Commit : 76cf2f1584e61201cde2aea98c61b892546435f1 Code-Review 0 : Mike Frysinger Code-Review +2: Jorge Lucangeli Obes, Will Drewry Verified 0 : Jorge Lucangeli Obes, Will Drewry Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : Idf28fefcdc912926fd988f582baaf5c00c54b424 Reviewed-at : https://chromium-review.googlesource.com/202920 add newlines to base64 content OpenSSL wants a newline in the base64 content to decode it, so add ones to make it happy. BUG= chromium:381200 TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h Previous-Reviewed-on: https://chromium-review.googlesource.com/202701 (cherry picked from commit 5e9c1786eee13c4bde95b893bbb007afe785540a) homedirs_unittest.cc
,
Jun 6 2014
,
Jun 6 2014
Merge approved for M35.
,
Jun 6 2014
Project: chromiumos/platform/cryptohome Branch : master Author : Mike Frysinger <vapier@chromium.org> Commit : 5e9c1786eee13c4bde95b893bbb007afe785540a Code-Review 0 : David Riley, Mike Frysinger, chrome-internal-fetch Code-Review +2: Jorge Lucangeli Obes, Kees Cook Commit-Queue 0 : David Riley, Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch Commit-Queue +1: Mike Frysinger Verified 0 : David Riley, Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : Idf28fefcdc912926fd988f582baaf5c00c54b424 Reviewed-at : https://chromium-review.googlesource.com/202701 add newlines to base64 content OpenSSL wants a newline in the base64 content to decode it, so add ones to make it happy. BUG= chromium:381200 TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h homedirs_unittest.cc
,
Jun 6 2014
Project: chromiumos/overlays/chromiumos-overlay Branch : release-R35-5712.B Author : Mike Frysinger <vapier@chromium.org> Commit : fe7c580931a07e35a178b353cdada82b27efe645 Code-Review 0 : Mike Frysinger Code-Review +2: Kees Cook Verified 0 : Kees Cook Verified +1: Mike Frysinger Commit Queue : Chumped Change-Id : I71da0324034bd32858fb95e7a00ae5d80eeb076e Reviewed-at : https://chromium-review.googlesource.com/202704 openssl: version bump BUG= chromium:381200 TEST=`emerge openssl` works TEST=`FEATURES=test emerge-x86-alex openssl` works TEST=`cbuildbot chromiumos-sdk` passes TEST=`cbuildbot {x86-alex,lumpy}-release` passes Originally-Reviewed-on: https://chromium-review.googlesource.com/193316 Originally-Reviewed-on: https://chromium-review.googlesource.com/202672 dev-libs/openssl/Manifest dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch dev-libs/openssl/files/openssl-1.0.0d-windres.patch dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch dev-libs/openssl/metadata.xml dev-libs/openssl/openssl-1.0.1h.ebuild
,
Jun 17 2014
Removing "Approved" label as this was merged.
,
Aug 19 2014
,
Sep 12 2014
Bulk update: removing view restriction from closed bugs.
,
Sep 17 2014
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Jul 28
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by jorgelo@chromium.org
, Jun 5 2014