Quoting form the draft of OpenSSL upstream advisory: EVP_EncryptUpdate overflow (CVE-2016-2106) ========================================== Severity: Low An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is one of two forms. The first form is where the EVP_EncryptUpdate() call is known to be the first called function after an EVP_EncryptInit(), and therefore that specific call must be safe. The second form is where the length passed to EVP_EncryptUpdate() can be seen from the code to be some small value and therefore there is no possibility of an overflow. Since all instances are one of these two forms, it is believed that there can be no overflows in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances of these calls have also been too and it is believed there are no instances in internal usage where an overflow could occur. This could still represent a security issue for end user code that calls this function directly. OpenSSL 1.0.2 users should upgrade to 1.0.2h OpenSSL 1.0.1 users should upgrade to 1.0.1t This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team.
Acknowledgments: Name: the OpenSSL project Upstream: Guido Vranken
Created attachment 1152021 [details] OpenSSL upstream fix
External References: https://openssl.org/news/secadv/20160503.txt
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1332590]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1332588]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1332589] Affects: epel-7 [bug 1332591]
Upstream commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3f3582139fbb259a1c3cbb0a25236500a409bf26
openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.2h-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html