'[openssl.org #952] Security fix ommission in openssl-engine-0.9.6m & SNAP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-dev
Subject:    [openssl.org #952] Security fix ommission in openssl-engine-0.9.6m & SNAP
From:       "Leonard den Ottolander via RT" <rt () openssl ! org>
Date:       2004-09-29 8:50:42
Message-ID: rt-952-5751.17.3124353510823 () openssl ! org
[Download RAW message or body]


Hello,

Going through Red Hat's 7.3 openssl-0.9.6b-35.7 openssl-0.9.6b-sec.patch
I noticed that in openssl-engine-0.9.6m (& SNAP 2004-09-26) there is a
hunk from this patch missing. Everything else has been merged, so I
believe this to be an unintentional omission.

In RHL 7.3's openssl-0.9.6b-sec.patch there is this one hunk:

--- ./ssl/ssl_asn1.c.chats      Thu Apr  5 21:28:48 2001
+++ ./ssl/ssl_asn1.c    Thu Jul 25 16:41:00 2002
@@ -275,6 +276,7 @@
                os.length=i;
 
        ret->session_id_length=os.length;
+       die(os.length <= sizeof ret->session_id);
        memcpy(ret->session_id,os.data,os.length);
 
        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);

In 0.9.6m die() is usually substituted with a
+       if (os.length > sizeof ret->session_id)
+               {
+               SSLerr(,);
+               return -1;
+               }
block.

In 0.9.6m this check is missing and should be added:

        ret->session_id_length=os.length;
        memcpy(ret->session_id,os.data,os.length);

It is there in 0.9.7d:

        ret->session_id_length=os.length;
        OPENSSL_assert(os.length <= sizeof ret->session_id);
        memcpy(ret->session_id,os.data,os.length);

The fact that there is an OPENSSL_assert in 0.9.7d makes me believe the
hunk was dropped unintentionally in the 0.9.6 branch, and should be
reintroduced.

The patch below reintroduces die(), and the declaration of OpenSSLDie().
The definition of OpenSSLDie() is still in cryptlib.c. If you decide to
use another construct instead of die() the definition of OpenSSLDie()
should probably be removed.

Leonard.

P.S. The bug report page that is mentioned in the README
(http://www.openssl.org/rt2.html) seems to no longer exist. Maybe the
README can be updated?

-- 
mount -t life -o ro /dev/dna /genetic/research

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic