Date: Mon, 12 Mar 2012 13:46:07 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Tomas Hoger <thoger@...hat.com> Subject: Re: CVE request: openssl: null pointer dereference issue On 03/12/2012 11:39 AM, Tomas Hoger wrote: > Note that additional similar issue in mime_param_cmp was fixed in > 0.9.8u and 1.0.0h as: > http://cvs.openssl.org/chngview?cn=22252 > > This can also be triggered by malformed S/MIME message. > > The above commit also corrects an issue with the previous mime_hdr_cmp > fix that could cause the function to return either "less than" or > "greater than" when comparing NULL to non-NULL. There's no known > security impact of this change, it seems it could cause verification / > decryption to fail when it can succeed. Reported by "bla". Please use CVE-2012-1165 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ