Hi,
Yes thank you very much. I did see in pk7_doit.c module, where the
PKCS7_dataInit() routine calls
PKCS7_get_octet_string() with what seems to be an uninitialized PKCS7
field:
->32070: os =
PKCS7_get_octet_string(p7->d.sign->contents);
DBG> ex p7->d.sign->contents
PK7_DOIT\PKCS7_dataInit\p7->d.sign->contents: 0F00D2700
This address is sign extended in 32-bit mode and is an unaccessable
system address. We ACCVIO when we we step into the routine (SEGMENT
fault on UNIX). Probably something left on the stack. I never did see
where this 'contents' was filled in. The call chain was:
module name routine name line rel PC abs PC
*PK7_DOIT PKCS7_dataInit
32070 0000000000000904
0000000000186114
*PK7_SMIME PKCS7_encrypt
31540 0000000000000FB4
00000000001833A4
*SMIME smime_main 34428 000000000000163C
00000000000DD1AC
However, when I didn't readily see anything in CVS that fit the bill
(pk7_doit and pk7lib, and I don't claim to know much about CVS), I was
happy to see your message.
Thanks again for the URL pointers.
Paul
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ives Steglich
Sent: Friday, October 15, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: Re: openssl 0.9.7d as an security risk
Mosteika, Paul Edward (OpenVMS Engineering) wrote:
>Hi,
>
>I just tripped across this same problem yesterday. Which modules is it?
>I'd like to fix this for OpenVMS.
>
>
>
Date: 2004-Mar-24 00:57:23 (UTC)
Comment: Make S/MIME encrypt work again.
http://cvs.openssl.org/chngview?cn=12080 (non fips version)
http://cvs.openssl.org/chngview?cn=12080 (fips tree)
this is actually the pkcs#7 fix to get it working again after they broke
it with the 0.9.7d security-fixes... the broken code is in: pk7_doit.c
maybe there are some more fixes, so it may be a good idea just to use
the cvs-version of 0.9.7 instead of the release (0.9.7d)
greetings
dalini
> Paul
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of dalini
>Sent: Thursday, October 14, 2004 7:17 PM
>To: [EMAIL PROTECTED]
>Subject: openssl 0.9.7d as an security risk
>
>
>hi folks,
>
>i'm not that familiar with your release policy and your definition of
>security and security-risks but i have a real certain issue about
>0.9.7d
>
>as far as i understand the release policy there will be new releases
>for openssl 0.9.7 only in case of security problems with the software
>and so there will be bugfixes in cvs but no new releases untill a
>security related problem gets fixed
>
>you as the developers may be familiar with the current situation of
>0.9.7d i guess, and therefore will know that the pkcs#7 part of openssl
>0.9.7d is broken in the release but fixed (actually 10 days after it)
>in the cvs branch of 0.9.7
>
>as far as i understand, you don't consider the broken pkcs#7 not a
>security risk or break in terms of openssl
>
>thats the point, where i really get stuck on your definitions of
>security, security risks and safty of operational systems, it is for me
>quite wired to be honest...
>
>
>so everybody who relies on pkcs#7 operations - and uses a openssl
>version prior to 0.9.7d and will update, will just break of his whole
>security infrastructure because he maybe does some suggested updates to
>0.9.7d (becouse this fixes several security issues) and therefore will
>kill themself instandly
>
>of course, everybody should do tests before he upgrades sensetive parts
>of its infrastructure and so on...
>
>but a lot of current packages use openssl-0.9.7d since its the stable
>version, so on new systems you always have to patch the 'stable' and
>'working' openssl, also a lot of projects that relay on openssl as the
>base library have to bring a huge ammount in support just to make users
>clear - DONT USE 0.9.7d - because its broken per default on the pkcs#7
>part... the point is, usaly everybody doesn't start to search for
>failures at an as stable decleared part of software...
>
>and so i really would like to see a new release of openssl 0.9.7
>because this is no trustable situation actually - since one can't relay
>on openssl stable releases and therefore on all published packages from
>distributions which may be use 0.9.7d
>
>and i really can't undestand how you can spread a broken software, even
>if it may be no security risk in the first view, but actually i would
>call this a security risk
>
>
>greetings
>dalini
>
>
>
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]