As per Upstream advisory: The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an OOB memory location (at an offset from the NULL pointer) in the event of a memory allocation failure. In 1.0.2 and below this could be caused where the size of a buffer to be allocated is greater than INT_MAX. E.g. this could be in processing a very long "%s" format string. Memory leaks can also occur. These issues will only occur on certain platforms where sizeof(size_t) > sizeof(int). E.g. many 64 bit systems. The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificates etc received via remote connections via libssl are also unlikely to be able to trigger these issues because of message size limits enforced within libssl. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 23rd by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team.
Public via: Upstream patch: http://git.openssl.org/?p=openssl.git;a=commitdiff;h=9cb177301fdab492e4cfef376b28339afe3ef663 Detailed write-up: https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1312858]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1312856]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1312857]
Acknowledgments: Name: the OpenSSL project Upstream: Guido Vranken
openssl-1.0.2g-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Statement: The original issue fixed by OpenSSL upstream contains two distinct fixes. The first one is a format string flaw in the internal fmtstr functions, which may result in a OOB read flaw when printing very large string. This issue was assigned CVE-2016-0799 The second issue relates to the internal doapr_outch function of OpenSSL. It can result in an OOB write, or cause memory leaks. This issue has been assigned CVE-2016-2842 by MITRE as is now tracked as https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2842
openssl-1.0.1k-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
There appears to be a problem with the source RPM for RHEL6. It looks like something is wrong with one of the certs used in the tests.
(In reply to jkeilson from comment #19) > There appears to be a problem with the source RPM for RHEL6. It looks like > something is wrong with one of the certs used in the tests. Unfortunately the certs used for the tests expired. If you want to rebuild the source you have to artificially manipulate the date on the machine used to the rebuild or disable the tests. The certs will be updated in future openssl erratum.
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html