Bug 1311876 - (CVE-2016-0798) CVE-2016-0798 OpenSSL: Avoid memory leak in SRP
CVE-2016-0798 OpenSSL: Avoid memory leak in SRP
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1301847
  Show dependency treegraph
Reported: 2016-02-25 04:15 EST by Huzaifa S. Sidhpurwala
Modified: 2016-03-01 10:29 EST (History)
31 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A memory leak flaw was found in the way OpenSSL performed SRP user database look-ups using the SRP_VBASE_get_by_user() function. A remote attacker connecting to certain SRP servers with an invalid user name could leak approximately 300 bytes of the server's memory per connection.
Story Points: ---
Clone Of:
Last Closed: 2016-02-25 04:22:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-02-25 04:15:48 EST
As per Upstream advisory:
The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.  Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed.  Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currently not carried out in
constant time.  (1.0.1 might omit the new API).

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 23rd 2016 by Emily Käsper.  The fix was developed by Emily Käsper of the OpenSSL development team.


This issue does not affect the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 6 and 7, since these packages are compiled without SRP support.
Comment 1 Martin Prpič 2016-02-29 07:01:51 EST
Public via:

Upstream patch:

Comment 2 Martin Prpič 2016-02-29 07:32:16 EST

Name: the OpenSSL project
Upstream: Emilia Käsper

Note You need to log in before you can comment on or make changes to this bug.