OpenSSL CVE-2016-0799 Buffer Overflow Vulnerability

Description

Severity: LowThe internal |fmtstr| function used in processing a "%s" format string in theBIO_*printf functions could overflow while calculating the length of a stringand cause an OOB read when printing very long strings.Additionally the internal |doapr_outch| function can attempt to write to an OOBmemory location (at an offset from the NULL pointer) in the event of a memoryallocation failure. In 1.0.2 and below this could be caused where the size of abuffer to be allocated is greater than INT_MAX. E.g. this could be in processinga very long "%s" format string. Memory leaks can also occur.The first issue may mask the second issue dependent on compiler behaviour.These problems could enable attacks where large amounts of untrusted data ispassed to the BIO_*printf functions. If applications use these functions in thisway then they could be vulnerable. OpenSSL itself uses these functions whenprinting out human-readable dumps of ASN.1 data. Therefore applications thatprint this data could be vulnerable if the data is from untrusted sources.OpenSSL command line applications could also be vulnerable where they print outASN.1 data, or if untrusted data is passed as command line arguments.Libssl is not considered directly vulnerable. Additionally certificates etcreceived via remote connections via libssl are also unlikely to be able totrigger these issues because of message size limits enforced within libssl.This issue affects OpenSSL versions 1.0.2 and 1.0.1.OpenSSL 1.0.2 users should upgrade to 1.0.2gOpenSSL 1.0.1 users should upgrade to 1.0.1sThis issue was reported to OpenSSL on February 23rd by Guido Vranken. Thefix was developed by Matt Caswell of the OpenSSL development team.

Affected Applications

OpenSSL

CVE References

Other References