A common idiom in the codebase is: if (p + len > limit) { return; /* Too long */ } where p points to some malloc'd data of SIZE bytes and limit == p + SIZE. 'len' could be from some externally supplied data, e.g. TLS message. This idiom is vulnerable to integer overflow vulnerability.
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1341708]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1341706]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1341707]
Upstream fix for 1.0.2 (only Fedora-23 and mingw packages in Fedora-23/Epel-7): https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03da7
See upstream blog post about this issue: https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ In summary from one of the upstream developers: This is a LOW issue, and does not justify a release by itself.
Upstream commit in 1.0.1 branch: https://github.com/openssl/openssl/commit/6f35f6deb5ca7daebe289f86477e061ce3ee5f46
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. Pointer arithmetic undefined behaviour (CVE-2016-2177) ====================================================== Severity: Low Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. External References: https://www.openssl.org/news/secadv/20160922.txt
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
This issue has been addressed in the following products: JBoss Core Services for Solaris and Microsoft Windows systems Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658