Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507694 (CVE-2010-5298)

Summary: dev-libs/openssl : freelist misuse causing a possible use-after-free
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-15 09:47:53 UTC
From ${URL} :

The following security advisory was reported by OpenBSD:

OpenBSD 5.4 errata 8, Apr 12, 2014:  A use-after-free race condition in OpenSSL's read buffer may permit 
an attacker to inject data from one connection into another.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2014-04-20 03:16:50 UTC
seems like consensus is it's a non issue
Comment 2 Joshua Kinard gentoo-dev 2014-04-20 05:46:34 UTC
(In reply to SpanKY from comment #1)
> seems like consensus is it's a non issue

Yeah, not a security threat, but still a very weird way for OpenSSL to handle memory.  Still a bug in my book, but one that can follow normal stabilization procedures when upstream does patch it.