Re: [Full-Disclosure] [OpenSSL Advisory] Vulnerabilities in ASN.1 parsing

From: Florian Weimer (fw_at_deneb.enyo.de)
Date: 09/30/03

Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Re: Prudent default security"

Previous message: Stormwalker: "[Full-Disclosure] More on Dan Geer"
In reply to: Mark J Cox: "[OpenSSL Advisory] Vulnerabilities in ASN.1 parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Tue, 30 Sep 2003 17:17:17 +0200

On Tue, Sep 30, 2003 at 03:27:50PM +0100, Mark J Cox wrote:

> Who is affected?
> - ----------------
>
> All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
> versions of SSLeay are affected.
>
> Any application that makes use of OpenSSL's ASN1 library to parse
> untrusted data. This includes all SSL or TLS applications, those using
> S/MIME (PKCS#7) or certificate generation routines.

Does verifying a RSA signature also count? IIRC the ASN.1 parser is
invoked during the process (to check the padding).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Re: Prudent default security"

Previous message: Stormwalker: "[Full-Disclosure] More on Dan Geer"
In reply to: Mark J Cox: "[OpenSSL Advisory] Vulnerabilities in ASN.1 parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]