Stories
Slash Boxes
Comments

SoylentNews is people

Bug-Hunt Turns Up Vulnerability in LibreSSL

posted by janrinok on Monday October 19 2015, @11:05PM   Printer-friendly
from the found-and-fixed dept.

Arthur T Knackerbracket has found the following story:

What they've found is that there's a companion memory leak (CVE-2015-5333) and buffer overflow (CVE-2015-5334) in the SSL replacement candidate.

The researchers from Qualys (their notice published here) said they were trying to see if a remote code execution attack is feasible against vulnerabilities they've turned up in OpenSMTPD (which earlier this month hit version 5.7.3).

“Because we could not find one in OpenSMTPD itself, we started to review the malloc()s and free()s of its libraries, and eventually found a memory leak in LibreSSL's OBJ_obj2txt() function; we then realized that this function also contains a buffer overflow (an off-by-one, usually stack-based).”

The memory leak provides a path for an attacker to cause a denial-of-service attack, and also permits triggering of the buffer overflow.

The LibreSSL team has released fixes for OpenBSD.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Bug-Hunt Turns Up Vulnerability in LibreSSL | Log In/Create an Account | Top | 23 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by NCommander on Tuesday October 20 2015, @08:00AM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday October 20 2015, @08:00AM (#252206) Homepage Journal

    It was likely something inherited from OpenSSL rather than something they introduced. TFA isn't clear on where it came from. I just wish LibreSSL would get more traction outside the BSD community; OpenSSL is a horrid codebase.

    --
    Still always moving
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 4, Informative) by TheRaven on Tuesday October 20 2015, @08:40AM

    by TheRaven (270) on Tuesday October 20 2015, @08:40AM (#252212) Journal
    I hope that it doesn't. It's a stop gap. There are two horrible things about OpenSSL. One is the implementation. LibreSSL is cleaning this up (though, after a massive reindent / reformat, making it annoying to compare code with OpenSSL). The other, and perhaps the more dangerous, is the API. It does evil things like tri-state return: positive value for success, zero for failure, negative for 'exceptional' failure. This is a problem because, in C, zero is false, non-zero is true, so code that does if (!some_openssl_api()) { /* error handling */ } works almost all of the time. Except when an attacker triggers the exceptional failure condition, then the code proceeds as if nothing is wrong, skipping things like certificate checks. There are many, many other ways to go wrong with OpenSSL's APIs. Clang has a few static analyser checkers for some of them, but it's by no means an exhaustive set.
    --
    sudo mod me up

    • (Score: 0) by Anonymous Coward on Tuesday October 20 2015, @06:38PM

      by Anonymous Coward on Tuesday October 20 2015, @06:38PM (#252412)

      If you use libtls instead of libssl from LibreSSL you ditch the openssl API.