[openssl-dev] overflow issue in b2i_PVK_bio
Matt Caswell
matt at openssl.org
Fri Mar 4 09:59:01 UTC 2016
On 03/03/16 11:54, Marcus Meissner wrote:
> Hi,
>
> https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
>
> Integer overflow in b2i_PVK_bio
>
> Have you assigned a CVE internally for that already?
>
> Ciao, Marcus
>
This has been fixed in commit 5f57abe2b15 (master version, similar
commits in other branches):
commit 5f57abe2b150139b8b057313d52b1fe8f126c952
Author: Dr. Stephen Henson <steve at openssl.org>
AuthorDate: Thu Mar 3 23:37:36 2016 +0000
Commit: Dr. Stephen Henson <steve at openssl.org>
CommitDate: Fri Mar 4 01:20:04 2016 +0000
Sanity check PVK file fields.
PVK files with abnormally large length or salt fields can cause an
integer overflow which can result in an OOB read and heap corruption.
However this is an rarely used format and private key files do not
normally come from untrusted sources the security implications not
significant.
Fix by limiting PVK length field to 100K and salt to 10K: these
should be
more than enough to cover any files encountered in practice.
Issue reported by Guido Vranken.
Reviewed-by: Rich Salz <rsalz at openssl.org>
As per the notes in the commit we do not see the security implications
as significant and therefore we are treating this as a bug and will not
be issuing a CVE.
Matt
More information about the openssl-dev
mailing list