lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAO5O-EJ3FqEW13CydrhRGibSGMyJgD02s=RwCV1LmJN5hK5+jA@mail.gmail.com>
Date: Tue, 11 Oct 2016 19:18:00 +0200
From: Guido Vranken <guidovranken@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] New OpenSSL double-free and invalid free vulnerabilities in
	X509 parsing

These vulnerabilities were found in the latest OpenSSL (1.1.0b).
Triggering these vulnerabilities is not trivial -- they rely on memory
shortages (malloc/realloc failures) or failing to acquire a thread
lock while the X509 data is being parsed. Possibly exploitation can be
achieved by exploiting a memory leak/accumulation (such as the
recently discovered CVE-2016-6304). Proof of concepts and more
extensive commentary at the link below.

https://github.com/guidovranken/openssl-x509-vulnerabilities

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ