In case an entry with the given OID already exists in the list passed to mbedtls_asn1_store_named_data() and there is not enough memory to allocate room for the new value, the existing entry will be freed but the preceding entry in the list will sill hold a pointer to it. (And the following entries in the list are no longer reachable.) This results in memory leak or a double free. Upstream fix available here: https://github.com/ARMmbed/mbedtls/commit/97b5209bc01ab8b3b519fdb46cefc04739433124 Upstream issue: https://github.com/ARMmbed/mbedtls/issues/367
Fedora 22, package polarssl, is not vulnerable because it currently has polarssl-1.3.9-3.fc22 in stable
Created mbedtls tracking bugs for this issue: Affects: fedora-all [bug 1297438] Affects: epel-all [bug 1297439]
Please note: PolarSSL has been replaced with mbedTLS. We do no longer support PolarSSL.
(In reply to Morten Stevens from comment #3) > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > support PolarSSL. Hi, unfortunately the polarssl package is still available in the latest version of Fedora. If you no longer support PolarSSL and will not build new fixed versions, then the package should be removed according to the guidelines in: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
(In reply to Martin Prpic from comment #4) > (In reply to Morten Stevens from comment #3) > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > > support PolarSSL. > > Hi, unfortunately the polarssl package is still available in the latest > version of Fedora. If you no longer support PolarSSL and will not build new > fixed versions, then the package should be removed according to the > guidelines in: > > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life Of course, that has already happened: https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/ Regarding to Fedora 22: You'll get mbedTLS automatically if you have the older PolarSSL installed.
(In reply to Morten Stevens from comment #5) > (In reply to Martin Prpic from comment #4) > > (In reply to Morten Stevens from comment #3) > > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > > > support PolarSSL. > > > > Hi, unfortunately the polarssl package is still available in the latest > > version of Fedora. If you no longer support PolarSSL and will not build new > > fixed versions, then the package should be removed according to the > > guidelines in: > > > > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life > > Of course, that has already happened: > https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/ > Ah, cool, this build confused me because it's tagged as f23 but not actually in the mirrors: http://koji.fedoraproject.org/koji/buildinfo?buildID=658695 > Regarding to Fedora 22: You'll get mbedTLS automatically if you have the > older PolarSSL installed. Fair enough, thanks!
mbedtls-2.2.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-1.3.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-2.2.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-2.2.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.