Pardus: 2010-77: OpenSSL: Invalid ASN1 Module
Posted by Benjamin D. Thomas   
An error when handling CMS (Cryptographic Message Syntax) structures which can be exploited to potentially execute arbitrary code have been fixed
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-77            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-06-15
  Severity: 4
      Type: Remote
------------------------------------------------------------------------

Summary
======
An error when handling CMS (Cryptographic  Message  Syntax)  structures
which can be exploited to potentially execute arbitrary code have  been
fixed


Description
==========
CVE-2010-0742:

The   Cryptographic Message   Syntax    (CMS)    implementation    in
crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and  1.x  before  1.0.0a
does not properly handle structures that contain OriginatorInfo,  which
allows context-dependent attackers to modify invalid memory locations or
conduct double-free attacks, and possibly execute arbitrary  code,  via
unspecified vectors.


Affected packages:

  Pardus 2009:
    openssl, all before 0.9.8k-28-11


Resolution
=========
There are update(s) for openssl. You can update them via Package Manager
or with a single command from console:

    pisi up openssl

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id321

------------------------------------------------------------------------