An out-of-bounds write vulnerability was found to be caused by not checking errors in BN_bn2dec(). If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Upstream patch: https://git.openssl.org/?p=openssl.git;a=commit;h=07bed46f332fce8c1d157689a2cdf915a982ae34
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1367345]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1367343]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1367344]
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. OOB write in BN_bn2dec() (CVE-2016-2182) ======================================== Severity: Low The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. External References: https://www.openssl.org/news/secadv/20160922.txt
Why is this Severity: Low? The NIST NVD has it listed as High severity. https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-2182&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P)
(In reply to Adam Mariš from comment #0) > Upstream patch: > > https://git.openssl.org/?p=openssl.git;a=commit; > h=07bed46f332fce8c1d157689a2cdf915a982ae34 This additional commit is also needed to correctly fix this issue: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3612ff6fcec0e3d1f2a598135fe12177c0419582
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185