On Tue, 11 Aug 2009 17:08:19 +0200, Dr. Stephen Henson <[email protected]>
wrote:
Please send any patches or bug reports to the request tracker in future.
That
way they don't get overlooked.
I tried to do so, but I don't have an account there, guest account doesn't
have rights to create a ticket and there is no way to (automatically)
register a new account. I was not sure if sending a patch to the tracker
from unknown address would work. I followed instructions from the README:
---8<---
Development is coordinated on the openssl-dev mailing list (see
http://www.openssl.org for information on subscribing). If you
would like to submit a patch, send it to [email protected] with
the string "[PATCH]" in the subject. Please be sure to include a
textual explanation of what your patch does.
---8<---
I'll resend the patch to [email protected] then. And I'll send a patch for
the README file. :)
While these are minor issues they are unlikely to happen unless
something is
very badly wrong. The SSL_SESSION structure and its encoding cannot be
fed
into OpenSSL from an untrusted source (well not unless an application
designer
has decided to do this very stupid thing) they will only have been
previously
created by OpenSSL itself using sane values.
Yes, I agree that the issues are unlikely to happen. I checked that the
buffer overflow is not exploitable in the library itself, that's why I
used the word "potential". However, d2i_SSL_SESSION() is a function from
the public API and we can't know where the application has got an SSL
session ASN1 representation from, and how is it going to use the resulting
SSL_SESSION object. Also, I think that such library as OpenSSL can't be
too secure, that's why I sent the patch, even if the issues are minor and
potential.
--
Alexei.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
