It was found that OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex, and others, to leak information from the stack. If applications echo pretty printing output, then a remote attacker could exploit this flaw to read information from the stack. OpenSSL clients and servers are not affected by this flaw; only applications that echo pretty printing output are affected.
External References: https://www.openssl.org/news/secadv_20140806.txt
Upstream commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0042fb5fd1c9d257d713b15a1f45da05cf5c1c87
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1127704]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1127705]
Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1127709]
Created mingw32-openssl tracking bugs for this issue: Affects: epel-5 [bug 1127885]
openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: It was discovered that the OBJ_obj2txt() function could fail to properly NUL-terminate its output. This could possibly cause an application using OpenSSL functions to format fields of X.509 certificates to disclose portions of its memory.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1053 https://rhn.redhat.com/errata/RHSA-2014-1053.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html
This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html
This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2014:1256 https://rhn.redhat.com/errata/RHSA-2014-1256.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1297 https://rhn.redhat.com/errata/RHSA-2014-1297.html