[arch-security] OpenSSL NULL pointer dereference in do_ssl3_write

Mark Lee mark at markelee.com
Sat May 3 14:32:28 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/02/2014 02:29 PM, Mark Lee wrote:
> To all,
> 
> Not sure if we're affected, but see below for email details.
> 
> Regards,
> Mark
> 
> 
>> On 05/02/2014 09:30 AM, Marc Deslauriers wrote:
>>> Hello,
>>>
>>> A null pointer dereference bug was discovered in
>>> so_ssl3_write(). An attacker could possibly use this to cause
>>> OpenSSL to crash, resulting in a denial of service.
>>>
>>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
>>>
>>>
>>>
>>>
> http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21
>>>
>>>
>>> http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig
>>>
>>>
>>>
> Could a CVE please be assigned to this issue?
>>>
>>> Thanks,
>>>
>>> Marc.
>>>
> 
>> I think getting this one a CVE is time critical. Mitre: sorry if
>> this causes a duplicate, but I'm assigning a CVE now. Please use 
>> CVE-2014-0198 for this issue. Also cc'ing Theo so OpenBSD gets 
>> notified for sure. Speaking of which Theo: should we get you or an 
>> OpenBSD deputy (Bob Beck?) onto distros@?
> 
>> -- Kurt Seifried Red Hat Security Response Team (SRT) PGP:
>> 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> 
> 

To All,

Will Arch patch their version of OpenSSL?

Regards,
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlNlNjwACgkQZ/Z80n6+J/b9QAEAhy5dd3JC9tN6VhPHUFBLliMx
y/CcEBAkLAG8kXUZ614A/0QMjlcf8D8UT0yCyMQfa12ihMxhg1u2SgGTNCb4IZvt
=eUT+
-----END PGP SIGNATURE-----


More information about the arch-security mailing list