Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563236 (CVE-2015-5333, CVE-2015-5334) - <dev-libs/libressl-2.2.4: Memory Leak and Buffer Overflow (CVE-2015-{5333,5334})
Summary: <dev-libs/libressl-2.2.4: Memory Leak and Buffer Overflow (CVE-2015-{5333,5334})
Alias: CVE-2015-5333, CVE-2015-5334
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2015-10-16 13:22 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2016-11-21 22:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2015-10-16 13:22:55 UTC

In order to achieve remote code execution against the vulnerabilities that we recently discovered in OpenSMTPD (CVE-2015-7687), a memory leak is needed. Because we could not find one in OpenSMTPD itself, we started to review the malloc()s and free()s of its libraries, and eventually found a memory leak in LibreSSL's OBJ_obj2txt() function; we then realized that this function also contains a buffer overflow (an off-by-one, usually stack-based).

The vulnerable function OBJ_obj2txt() is reachable through X509_NAME_oneline() and d2i_X509(), which is called automatically to decode the X.509 certificates exchanged during an SSL handshake (both client-side, unless an anonymous mode is used, and server-side, if client authentication is requested).

These vulnerabilities affect all LibreSSL versions, including LibreSSL 2.0.0 (the first public release) and LibreSSL 2.3.0 (the latest release at the time of writing). OpenSSL is not affected.


This off-by-one buffer overflow allows remote attackers to cause a
denial of service (crash) or possibly execute arbitrary code. However,
when triggered through X509_NAME_oneline() (and therefore d2i_X509()),
this buffer overflow is stack-based and probably not exploitable on
OpenBSD x86, where it appears to always smash the stack canary.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-10-16 13:34:27 UTC
To answer ago's questions from the ${URL} followup:
All released versions up to 2.3.0 are affected.

The commits which fix the memory leak and buffer overflow are presumably:

Plus some more which appear to be related, but not directly fix any security vulnerability in that CVE.
Comment 2 Julian Ospald 2015-10-16 13:39:40 UTC
(In reply to Chí-Thanh Christopher Nguyễn from comment #1)
> To answer ago's questions from the ${URL} followup:
> All released versions up to 2.3.0 are affected.

That's not entirely correct, because it is fixed in 2.2.4, which is the stable branch.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 22:50:16 UTC
Package never stabilized.