I too face this same scenario as Raajeesh. Can anyone provide details
on the exact patch for CVE-2013-0169 that was applied to OpenSSL version
0.9.8y?
Thank you,
~Ryan
On 03/06/2013 12:15 AM, Raajesh Sivaramakrishnan wrote:
Hi,
The product that I am working on is running on OpenSSL version 0.9.8x.
The vulnerability CVE-2013-0169 has been fixed in OpenSSL 0.9.8y and
hence I am trying to figure out the patch for this vulnerability to
port it to the product. I am faced with an issue here.
I tried my best to sort the issue myself or through help from my
colleagues, but could not find a resolution for two weeks now. Hence I
am posting this query on this forum.
I wanted to narrow down on the patch for this vulnerability alone for
porting. Towards this, I tried to find the complete diff of changes
between OpenSSL 0.9.8x and 0.9.8y on the OpenSSL site and else where
on the internet but could not find the same. Hence I downloaded
OpenSSL 0.9.8x and 0.9.8y source code and have generated the complete
code diff. I find there are around 50 files which have been changed
between the two version including some new files.
When I try to narrow down on the fix given for CVE-2013-0169, I find
that apart from this fix, there are three other changes including a
fix for another vulnerability CVE-2013-0166,a fix for a possible
deadlock when decoding public keys and some changes pertaining to
cipher suite stapling.
I tried filtering out the fix for vulnerability CVE-2013-0169 through
code comments. Though most changes are included with comments
explaining the change, I could not find relevant comments for some
other changes. I am trying to figure out what changes are for what
issues through vimdiff and code reading where I could not find
comments. However, due to the high number of files and LoC, I am
concerned I could miss out on something.
Hence, I would like to know if there is any other way to filter out
the exact patch for this particular vulnerability. Any inputs could be
greatly helpful.
Best Regards,
Raajesh S
--
Ryan Watkins