Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160314073723.GB8335@suse.de>
Date: Mon, 14 Mar 2016 08:37:23 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request

On Mon, Mar 14, 2016 at 11:19:29AM +0400, Loganaden Velvindron wrote:
> Hi guys,
> 
> Is there a CVE assigned to this yet ?
> 
> https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/

I brought this to the openssl team and they claim it is not a security issue.

https://www.mail-archive.com/openssl-dev@openssl.org/msg43102.html
https://www.mail-archive.com/openssl-dev@openssl.org/msg43119.html

This has been fixed in commit 5f57abe2b15 (master version, similar
commits in other branches):

commit 5f57abe2b150139b8b057313d52b1fe8f126c952
Author:     Dr. Stephen Henson <st...@...nssl.org>
AuthorDate: Thu Mar 3 23:37:36 2016 +0000
Commit:     Dr. Stephen Henson <st...@...nssl.org>
CommitDate: Fri Mar 4 01:20:04 2016 +0000

    Sanity check PVK file fields.

    PVK files with abnormally large length or salt fields can cause an
    integer overflow which can result in an OOB read and heap corruption.
    However this is an rarely used format and private key files do not
    normally come from untrusted sources the security implications not
    significant.

    Fix by limiting PVK length field to 100K and salt to 10K: these
should be
    more than enough to cover any files encountered in practice.

    Issue reported by Guido Vranken.

    Reviewed-by: Rich Salz <rs...@...nssl.org>


As per the notes in the commit we do not see the security implications
as significant and therefore we are treating this as a bug and will not
be issuing a CVE.

Matt
-- 



Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.