On Thu, 31 May 2012 20:41:21 +0200 (CEST) David Anthony via RT wrote:

> There has been a new security vulnerability we have reported over at
> Bugtraq (http://seclists.org/bugtraq/2012/May/155) and we feel that it
> should also be reported to the OpenSSL dev team. If there are any
> questions regarding the issue, please feel free to give us (Myself
> and Vincent Buccigrossi) an email at this address to discuss further.

This should be a problem with apps' password_callback, that passes
incorrect buffer size to UI functions.  The easy way to reproduce is
with genrsa, where both stack-based (first pass phrase prompt) and
heap-based (verify pass phrase prompt) overflows can be reproduced.

Attached patch for 1.0.1c makes password_callback use correct buffer
size.

-- 
Tomas Hoger

diff -pruN openssl-1.0.1c.orig/apps/apps.c openssl-1.0.1c/apps/apps.c
--- openssl-1.0.1c.orig/apps/apps.c	2012-02-12 00:38:49.000000000 +0100
+++ openssl-1.0.1c/apps/apps.c	2012-06-14 15:32:09.634491031 +0200
@@ -586,12 +586,12 @@ int password_callback(char *buf, int buf
 
 		if (ok >= 0)
 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-				PW_MIN_LENGTH,BUFSIZ-1);
+				PW_MIN_LENGTH,bufsiz-1);
 		if (ok >= 0 && verify)
 			{
 			buff = (char *)OPENSSL_malloc(bufsiz);
 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-				PW_MIN_LENGTH,BUFSIZ-1, buf);
+				PW_MIN_LENGTH,bufsiz-1, buf);
 			}
 		if (ok >= 0)
 			do

Reply via email to