Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Apr 2012 19:44:56 +0400
From: Solar Designer <>
Cc: Tavis Ormandy <>
Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)

On Sun, Apr 22, 2012 at 04:23:11PM +0400, Solar Designer wrote:
> Tavis posted a followup to my message, where he attached a testcase that
> was unfortunately above oss-security's message size limit - so the
> message did not make it to the list.  I've gzip-compressed the file and
> have re-attached it to this message now (it's only 3 KB when compressed).

Turns out that file was mangled in transit.  Tavis has posted the
correct one on this URL:

SHA-256: ac7acb168a6bfd65375eeec072acbf904f0f10e3bc5588c020aed4df4712d066

$ gzip -vl openssl-1.0.1-testcase-32bit.crt.gz
method  crc     date  time           compressed        uncompressed  ratio uncompressed_name
defla 879c374f Apr 22 18:57             1389433          1431655797  99.9% openssl-1.0.1-testcase-32bit.crt

With this one, I am able to trigger a problem on 32-bit (OpenSSL 1.0.0d
with unrelated patches):

$ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER
*** glibc detected *** free(): invalid pointer: 0x45ff0008 ***

That's in an OpenVZ container with privvmpages barrier at 3 GB.
With 2 GB, I was getting:

$ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER
unable to load certificate
3083651232:error:07069041:memory buffer routines:BUF_MEM_grow_clean:malloc failure:buffer.c:152:
3083651232:error:0D06B041:asn1 encoding routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:229:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ