oss-sec mailing list archives
Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 24 Apr 2012 09:47:24 +0200
On Sun, 22 Apr 2012 19:44:56 +0400 Solar Designer wrote:
Turns out that file was mangled in transit. Tavis has posted the correct one on this URL: http://lock.cmpxchg8b.com/openssl-1.0.1-testcase-32bit.crt.gz SHA-256: ac7acb168a6bfd65375eeec072acbf904f0f10e3bc5588c020aed4df4712d066
If you test your 0.9.x updates with this reproducer from Tavis, you should still expect to see crashes, which are now corrected upstream in 0.9.8w: http://marc.info/?l=openssl-dev&m=133525318514423&w=2 This incomplete fix got CVE-2012-2131. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 20)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tomas Hoger (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tavis Ormandy (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tavis Ormandy (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)