Your message dated Sat, 21 Mar 2026 14:46:11 +0100
with message-id <[email protected]>
and subject line Re: Bug#742240: libssl1.0.0:
TLSv1_client_method()/SSL_Connect() heap overrun
has caused the Debian Bug report #742240,
regarding libssl1.0.0: TLSv1_client_method()/SSL_Connect() heap overrun
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
742240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742240
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl1.0.0
Version: 1.0.1e-2+deb7u4
Severity: normal
Dear Maintainer,
When creating a client context with SSL_CTX_new(TLSv1_client_method()),
SSL_Connect() triggers a heap overrun with the following output from valgrind:
==24315== Thread 10:
==24315== Invalid write of size 4
==24315== at 0x4C2B4FF: memset (mc_replace_strmem.c:966)
==24315== by 0x5894BAE: MD5_Final (md5.c:293)
==24315== by 0x72A8CED: EVP_DigestFinal_ex (digest.c:272)
==24315== by 0x673797A: ssl3_get_key_exchange (s3_clnt.c:1782)
==24315== by 0x673B042: ssl3_connect (s3_clnt.c:359)
==24315== by 0x58818EE: _sock_connected (sock.c:596)
==24315== by 0x587A531: _thread (thread.c:644)
==24315== by 0x5442B4F: start_thread (pthread_create.c:304)
==24315== Address 0x7866694 is 0 bytes after a block of size 100 alloc'd
==24315== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==24315== by 0x721B77F: CRYPTO_malloc (mem.c:308)
==24315== by 0x72A8B48: EVP_DigestInit_ex (digest.c:210)
==24315== by 0x673791A: ssl3_get_key_exchange (s3_clnt.c:1777)
==24315== by 0x673B042: ssl3_connect (s3_clnt.c:359)
==24315== by 0x58818EE: _sock_connected (sock.c:596)
==24315== by 0x587A531: _thread (thread.c:644)
==24315== by 0x5442B4F: start_thread (pthread_create.c:304)
==24315==
SSL_Connect() returned WANT_READ, and once there was data on the socket calling
SSL_Connect() the second time triggered the bug.
The bug is fixed by creating a context with SSLv23_client_method() instead.
Thanks,
Brandon
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u1
ii multiarch-support 2.13-38+deb7u1
ii zlib1g 1:1.2.7.dfsg-13
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On 2017-09-04 21:46:21 [+0200], To Brandon wrote:
> On 2014-03-21 02:04:11 [-0400], Brandon wrote:
> > When creating a client context with SSL_CTX_new(TLSv1_client_method()),
> > SSL_Connect() triggers a heap overrun with the following output from
> > valgrind:
>
> Does this still occur as of 1.1.0f?
The reporter did not come back, I can't reproduce this (it is sort of
difficult to get a TLSv1 only connection these days).
Closing.
Sebastian
--- End Message ---
