Would be great if I can get answers to the below questions
thanks
aparajita
From: Aparajita Sood (apsood)
Sent: Tuesday, September 21, 2010 11:54 AM
To: 'openssl-users@openssl.org'
Subject: REGD : openssl vulnerability CVE-2010-2939 : double in
ssl3_get_key_exchange
Hi OpenSSL Folks,
I'm evaluating our product for this vulnerability.
http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html
http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html
I have a few questions :
1. The vulnerability says
You are right : there is a double free bug in the function
*ssl3_get_key_exchange* which leads to crash if an error occurs.
The bug is in line 1510 of s3_clnt.c where we forget to set the
variable bn_ctx to NULL after freeing it and this leads to the
double free error when BN_CTX_free is called a second time on line
1650.
In 0.9.7d and prior I see no reference to bn_ctx or BN_CTX_free
QUESTION: Since I do not see references to bn_ctx or BN_CTX_free in
0.9.7d can I assume that the vulnerability does not exist on that
version?
2. The link says OpenSSL versions 1.0.0a, 0.9.8, 0.9.7,
and possibly other versions, are affected when Elliptic curve
Diffie-Hellman (ECDH) is enabled
QUESTION: Since I don't see BN_CTX_free being used in 0.9.7d and prior,
do they mean that 7e, f , g have these definitions ?
3. I checked in the opensslconf.h file for #define OPENSSL_NO_ECDH to
check if ECDH is enabled or not
QUESTION: is this the correct way to find if ecdh is enabled or not?
Would be great if I can get a response to these
thanks
aparajita