Bug 827399 - openssl: buffer overflow in apps' password callback function
Summary: openssl: buffer overflow in apps' password callback function
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 827406
TreeView+ depends on / blocked
 
Reported: 2012-06-01 11:11 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-14 13:49:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-06-01 11:11:12 UTC 
A stack-based buffer overflow was found in the way the CA application of openssl, a general purpose cryptography library with TLS implementation, performed signing of certificate requests, when overly long password has been used for CA key encryption. Attempt to sign a certificate request with such a CA key would lead to openssl's 'ca' executable crash.

References:
[1] http://seclists.org/bugtraq/2012/May/155
Comment 4 Tomas Hoger 2012-06-01 12:12:34 UTC 
Upstream bug:
http://rt.openssl.org/Ticket/Display.html?id=2826&user=guest&pass=guest
Comment 5 Tomas Hoger 2012-06-14 13:49:11 UTC 
This issue is not specific to ca sub-command of the openssl utility.  It is an issue in the password_callback() function that is used by other openssl sub-commands too.  An easy way to trigger is using genrsa (openssl genrsa -out test.key -des3), where both stack-based (first pass phrase prompt) and
heap-based (verify pass phrase prompt) overflows can be reproduced.

This is not a security flaw.  It only affects openssl command line tool that was never intended to be installed as setuid / setgid.  Therefore, no trust boundary is crossed.

A patch to address this was sent to upstream bug.
Note You need to log in before you can comment on or make changes to this bug.