oss-sec mailing list archives
Re: CVE request
From: Marcus Meissner <meissner () suse de>
Date: Mon, 14 Mar 2016 08:37:23 +0100
On Mon, Mar 14, 2016 at 11:19:29AM +0400, Loganaden Velvindron wrote:
Hi guys, Is there a CVE assigned to this yet ? https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
I brought this to the openssl team and they claim it is not a security issue. https://www.mail-archive.com/openssl-dev () openssl org/msg43102.html https://www.mail-archive.com/openssl-dev () openssl org/msg43119.html This has been fixed in commit 5f57abe2b15 (master version, similar commits in other branches): commit 5f57abe2b150139b8b057313d52b1fe8f126c952 Author: Dr. Stephen Henson <st... () openssl org> AuthorDate: Thu Mar 3 23:37:36 2016 +0000 Commit: Dr. Stephen Henson <st... () openssl org> CommitDate: Fri Mar 4 01:20:04 2016 +0000 Sanity check PVK file fields. PVK files with abnormally large length or salt fields can cause an integer overflow which can result in an OOB read and heap corruption. However this is an rarely used format and private key files do not normally come from untrusted sources the security implications not significant. Fix by limiting PVK length field to 100K and salt to 10K: these should be more than enough to cover any files encountered in practice. Issue reported by Guido Vranken. Reviewed-by: Rich Salz <rs... () openssl org> As per the notes in the commit we do not see the security implications as significant and therefore we are treating this as a bug and will not be issuing a CVE. Matt -- Ciao, Marcus
Current thread:
- CVE request Loganaden Velvindron (Mar 14)
- Re: CVE request Marcus Meissner (Mar 14)