oss-security - Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 24 Apr 2012 16:31:51 +0200
From: Tavis Ormandy <taviso@...xchg8b.com>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)

On Tue, Apr 24, 2012 at 09:47:24AM +0200, Tomas Hoger wrote:
> On Sun, 22 Apr 2012 19:44:56 +0400 Solar Designer wrote:
> 
> > Turns out that file was mangled in transit.  Tavis has posted the
> > correct one on this URL:
> > 
> > http://lock.cmpxchg8b.com/openssl-1.0.1-testcase-32bit.crt.gz
> > 
> > SHA-256:
> > ac7acb168a6bfd65375eeec072acbf904f0f10e3bc5588c020aed4df4712d066
> 
> If you test your 0.9.x updates with this reproducer from Tavis, you
> should still expect to see crashes, which are now corrected upstream in
> 0.9.8w:
> 
> http://marc.info/?l=openssl-dev&m=133525318514423&w=2
> 
> This incomplete fix got CVE-2012-2131.
> 

Oops, indeed I didn't test with the 0.9.x build. I had tried (and
failed) to mail it to openssl-security, but their MTA rejected it,
so just skipped it as the 1.0.0 patch seemed correct.

At the risk of being flamed for my progressive views on email size,
please turn up the limits for security aliases! :-)

Tavis.


-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.