Date: Sun, 22 Apr 2012 19:44:56 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Tavis Ormandy <taviso@...xchg8b.com> Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) On Sun, Apr 22, 2012 at 04:23:11PM +0400, Solar Designer wrote: > Tavis posted a followup to my message, where he attached a testcase that > was unfortunately above oss-security's message size limit - so the > message did not make it to the list. I've gzip-compressed the file and > have re-attached it to this message now (it's only 3 KB when compressed). Turns out that file was mangled in transit. Tavis has posted the correct one on this URL: http://lock.cmpxchg8b.com/openssl-1.0.1-testcase-32bit.crt.gz SHA-256: ac7acb168a6bfd65375eeec072acbf904f0f10e3bc5588c020aed4df4712d066 $ gzip -vl openssl-1.0.1-testcase-32bit.crt.gz method crc date time compressed uncompressed ratio uncompressed_name defla 879c374f Apr 22 18:57 1389433 1431655797 99.9% openssl-1.0.1-testcase-32bit.crt With this one, I am able to trigger a problem on 32-bit (OpenSSL 1.0.0d with unrelated patches): $ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER *** glibc detected *** free(): invalid pointer: 0x45ff0008 *** Aborted That's in an OpenVZ container with privvmpages barrier at 3 GB. With 2 GB, I was getting: $ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER unable to load certificate 3083651232:error:07069041:memory buffer routines:BUF_MEM_grow_clean:malloc failure:buffer.c:152: 3083651232:error:0D06B041:asn1 encoding routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:229: Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ