Date: Tue, 30 Dec 2014 08:02:22 +1100 From: Joshua Rogers <oss@...ernot.info> To: oss-security@...ts.openwall.com Subject: Re: CVE Request(s): libgcrypt On 30/12/14 07:46, Florian Weimer wrote: > The patch seems incorrect because the copy of the pointer in the > caller is not updated when first free happens. > > The error can only happen on a path with an allocation failure, right? Yes, when the allocation fails. _gcry_hmac256_finalize frees 'hd' before it returns NULL, then frees it again. Actually, the patch is incorrect. There is no 'if' hd is freed on the return of NULL, as it is always freed upon the return of NULL. >> off-by-one out-of-bounds read: >> http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html > This doesn't look like a security issue because the callers all use > in-range values. > I was actually unsure of this one. I'm waiting for a libgcrypt developer to comment on it. Thanks, -- -- Joshua Rogers <https://internot.info/> Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.