Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 759370 (CVE-2020-1971) - [Tracker] Denial of service in OpenSSL/LibreSSL X509 parser (CVE-2020-1971)
Summary: [Tracker] Denial of service in OpenSSL/LibreSSL X509 parser (CVE-2020-1971)
Alias: CVE-2020-1971
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on: 759079 759175
  Show dependency tree
Reported: 2020-12-10 17:37 UTC by Sam James
Modified: 2021-05-13 13:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-10 17:37:08 UTC
"The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack."
Comment 1 bugs-gentoo01 2020-12-14 19:34:39 UTC
I'm running openssl-1.0.2u ( with this patches from ubuntu:

What I did:

* Created a new overlay (for testing)
* Extracted debian/patches/CVE-2020-1971-*.patch from
* Put them in ./files dir of dev-libs/openssl
* Copied openssl-1.0.2u.ebuild to openssl-1.0.2u-r1.ebuild
* Adjusted openssl-1.0.2u-r1.ebuild
  * Added to the start of the src_prepare() section:

epatch "${FILESDIR}"/CVE-2020-1971-1.patch
epatch "${FILESDIR}"/CVE-2020-1971-2.patch
epatch "${FILESDIR}"/CVE-2020-1971-3.patch
epatch "${FILESDIR}"/CVE-2020-1971-4.patch
epatch "${FILESDIR}"/CVE-2020-1971-5.patch
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 13:23:04 UTC
Dead tracker, closing.