oss-sec mailing list archives
Re: CVE Request: AWS s2n
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 14 Jul 2015 09:48:17 -0600
On 07/14/2015 09:08 AM, Markus Vervier wrote:
Hi, I would like to request a CVE for s2n. When a server is sending invalid DH values during a handshake a BIGNUM value is not properly initialized. This causes a null pointer dereference in a s2n based client leading to a crash or possible worse on old systems (e.g. on Debian kernels lower than 2.6.26). Technical details and a patch are available here: https://github.com/awslabs/s2n/pull/124 The fix was merged and is in commit 9af6ba1815dfd5c00361cc3bd45cee1d64e0c3bf. Markus
I just looked at the pull: Markus Vervier noticed that our client side code isn't being defensive enough around DHE parameters and can pass on a "0" as the value of dh->p. Note: not that the the BIGNUM is NULL, but that the value of the number is a literal zero. [snip] Reminder: Client mode is disabled and won't be enabled until X509 validation is ready. But we can still make improvements and fixes in the meantime. so I'm not sure this needs a CVE as the code is not yet enabled. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: AWS s2n Markus Vervier (Jul 14)
- Re: CVE Request: AWS s2n Kurt Seifried (Jul 14)
- Re: CVE Request: AWS s2n Markus Vervier (Jul 14)
- Re: CVE Request: AWS s2n Kurt Seifried (Jul 14)
- Re: CVE Request: AWS s2n Anthony Liguori (Jul 16)
- Re: CVE Request: AWS s2n MacCarthaigh, Colm (Jul 16)
- Re: CVE Request: AWS s2n Markus Vervier (Jul 22)
- Re: CVE Request: AWS s2n Markus Vervier (Jul 14)
- Re: CVE Request: AWS s2n Kurt Seifried (Jul 14)