Should this got a CVE number assignment or is it not a real security issue?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Should this got a CVE number assignment or is it not a real security issue?

Tomas Mraz-2
Hi,
during the review of OpenSSL commits I found this one:
https://github.com/openssl/openssl/commit/22a10c89d7c3f951339c385d57cc8fd23c0a800b

There is unfortunately not much detail in the commit message. Could this
be a possible security issue? Can you please clear that up?

Thanks,
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Should this got a CVE number assignment or is it not a real security issue?

Dr. Stephen Henson
On Thu, Aug 07, 2014, Tomas Mraz wrote:

> Hi,
> during the review of OpenSSL commits I found this one:
> https://github.com/openssl/openssl/commit/22a10c89d7c3f951339c385d57cc8fd23c0a800b
>
> There is unfortunately not much detail in the commit message. Could this
> be a possible security issue? Can you please clear that up?
>

The commit log message is somewhat unfortunate ;-)

The commit combines some cosmetic changes with a correction to see if there
is enough room for two extensions: renegotiation and SRTP.

In practice an overrun is not possible becaue at most a few bytes is written
to a BUF_MEM structure which is grown to 16k calling BUF_MEM_grow which
actually ends up allocating additional space making it 21848 bytes in length.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]