Bug 827399 - openssl: buffer overflow in apps' password callback function
openssl: buffer overflow in apps' password callback function
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
impact=none,public=20120531,reported=...
: Security
Depends On:
Blocks: 827406
  Show dependency treegraph
 
Reported: 2012-06-01 07:11 EDT by Jan Lieskovsky
Modified: 2015-08-19 05:16 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-14 09:49:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-06-01 07:11:12 EDT
A stack-based buffer overflow was found in the way the CA application of openssl, a general purpose cryptography library with TLS implementation, performed signing of certificate requests, when overly long password has been used for CA key encryption. Attempt to sign a certificate request with such a CA key would lead to openssl's 'ca' executable crash.

References:
[1] http://seclists.org/bugtraq/2012/May/155
Comment 5 Tomas Hoger 2012-06-14 09:49:11 EDT
This issue is not specific to ca sub-command of the openssl utility.  It is an issue in the password_callback() function that is used by other openssl sub-commands too.  An easy way to trigger is using genrsa (openssl genrsa -out test.key -des3), where both stack-based (first pass phrase prompt) and
heap-based (verify pass phrase prompt) overflows can be reproduced.

This is not a security flaw.  It only affects openssl command line tool that was never intended to be installed as setuid / setgid.  Therefore, no trust boundary is crossed.

A patch to address this was sent to upstream bug.

Note You need to log in before you can comment on or make changes to this bug.