Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585142 (CVE-2016-2177) - <dev-libs/openssl-1.0.2h-r2: Possible integer overflow vulnerabilities in codebase (CVE-2016-2177)
Summary: <dev-libs/openssl-1.0.2h-r2: Possible integer overflow vulnerabilities in cod...
Alias: CVE-2016-2177
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on: CVE-2016-2178
  Show dependency tree
Reported: 2016-06-06 07:27 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-06 07:27:34 UTC
From ${URL} :

A common idiom in the codebase is:

if (p + len > limit)
	return; /* Too long */

where p points to some malloc'd data of SIZE bytes and limit == p + SIZE. 'len' could be from some 
externally supplied data, e.g. TLS message. This idiom is vulnerable to integer overflow 

Upstream commit: 6f35f6deb5ca7daebe289f86477e061ce3ee5f46

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-06-20 09:09:33 UTC
CVE-2016-2177 (
  OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer
  boundary checks, which might allow remote attackers to cause a denial of
  service (integer overflow and application crash) or possibly have
  unspecified other impact by leveraging unexpected malloc behavior, related
  to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Comment 2 Patrick McLean gentoo-dev 2016-06-25 02:20:50 UTC
Fixed in openssl-1.0.2h-r2
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:27:25 UTC
This issue was resolved and addressed in
 GLSA 201612-16 at
by GLSA coordinator Aaron Bauman (b-man).