635584 – dev-libs/libressl: out-of-bounds read creates crash

Bug 635584 - dev-libs/libressl: out-of-bounds read creates crash

Summary: dev-libs/libressl: out-of-bounds read creates crash

Status:	RESOLVED DUPLICATE of bug 636264

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.novell.com/show_bug....
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2017-10-27 14:55 UTC by Aleksandr Wagner (Kivak)
Modified:	2019-04-27 18:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-10-27 14:55:49 UTC

openssl-1.0.2l and libressl-2.6.2 are susceptible to an out-of-bounds read and crashes. https://marc.info/?l=openbsd-tech&m=150906184009035&w=2
So observed on Tumbleweed, and therefore very likely affects 42.2, 42.3 and SLE as well.

openssl-1.1.0f has been found to not have the problem anymore.

References:

https://marc.info/?l=openbsd-tech&m=150906184009035&w=2
https://marc.info/?l=openbsd-tech&m=150906184009035&q=raw
https://github.com/openssl/openssl/commit/6493e4801e9edbe1ad1e256d4ce9cd55c8aa2242#diff-bf594638aca419f471dd119cd22da58f

@ Maintainer(s): Please confirm that only libressl-2.6.2 is vulnerable to this bug.

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 18:57:05 UTC


*** This bug has been marked as a duplicate of bug 636264 ***