Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629290 (CVE-2017-3735)

Summary: <dev-libs/openssl-{1.0.2m,1.1.0g}: Malformed X.509 IPAdressFamily could cause OOB read
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 636264    
Bug Blocks:    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-29 14:01:52 UTC
OpenSSL Security Advisory [28 Aug 2017]

Malformed X.509 IPAdressFamily could cause OOB read (CVE-2017-3735)

Severity: Low

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.

As this is a low severity fix, no release is being made. The fix can be
found in the source repository (1.0.2, 1.1.0, and master branches); see This bug has been present
since 2006.

This issue was found by Google's OSS-Fuzz project on August 22.
The fix was developed by Rich Salz of the OpenSSL development team.


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.


URL for this Security Advisory:

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
Comment 1 Larry the Git Cow gentoo-dev 2017-11-02 15:58:06 UTC
The bug has been referenced in the following commit(s):

commit ddc7a2854b198ea1377a9b109a1d366e4c3099e0
Author:     Thomas Deutschmann <>
AuthorDate: 2017-11-02 15:57:41 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2017-11-02 15:57:55 +0000

    dev-libs/openssl: Bump for CVE-2017-{3735,3736}
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.0.2m.ebuild | 254 +++++++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0g.ebuild | 240 +++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)}
Comment 2 Thomas Deutschmann gentoo-dev 2017-11-24 02:21:22 UTC
Added to an existing GLSA request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 18:25:14 UTC
This issue was resolved and addressed in
 GLSA 201712-03 at
by GLSA coordinator Thomas Deutschmann (whissi).