Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 30 Dec 2014 08:02:22 +1100
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request(s): libgcrypt

On 30/12/14 07:46, Florian Weimer wrote:
> The patch seems incorrect because the copy of the pointer in the
> caller is not updated when first free happens.
>
> The error can only happen on a path with an allocation failure, right?
Yes, when the allocation fails.
_gcry_hmac256_finalize frees 'hd' before it returns NULL, then frees it
again.
Actually, the patch is incorrect. There is no 'if' hd is freed on the
return of NULL, as it is always freed upon the return of NULL.

>> off-by-one out-of-bounds read:
>> http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html
> This doesn't look like a security issue because the callers all use
> in-range values.
>
I was actually unsure of this one. I'm waiting for a libgcrypt developer
to comment on it.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.