[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
bernd.edlinger at hotmail.de
bernd.edlinger at hotmail.de
Fri Feb 1 16:06:03 UTC 2019
The branch OpenSSL_1_1_0-stable has been updated
via 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit)
from 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit)
- Log -----------------------------------------------------------------
commit 152abc5522d869668f50deeb99cd0d948d0df4c1
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Wed Jan 30 16:20:31 2019 +0100
Fix a crash in reuse of d2i_X509_PUBKEY
If the second PUBKEY is malformed there is use after free.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8135)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 4 ++++
crypto/x509/x_pubkey.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/CHANGES b/CHANGES
index b810a12..d634252 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
Changes between 1.1.0j and 1.1.0k [xx XXX xxxx]
+ *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+ re-used X509_PUBKEY object if the second PUBKEY is malformed.
+ [Bernd Edlinger]
+
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index cc69283..03271cb 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
/* Attempt to decode public key and cache in pubkey structure. */
X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
EVP_PKEY_free(pubkey->pkey);
+ pubkey->pkey = NULL;
/*
* Opportunistically decode the key but remove any non fatal errors
* from the queue. Subsequent explicit attempts to decode/use the key
More information about the openssl-commits
mailing list