
Malformed private keys lead to heap corruption in OpenSSL's b2i_PVK_bio - jlgaddis
https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
======
jlgaddis
Note that this is a public disclosure of a vulnerability that was _NOT_
included in today's (2016-03-01) OpenSSL release.

------
jimrandomh
> "I reported this one on February 24th, and on February 26th, in response to
> a different inquiry of mine, I was told that any reports submitted from
> there on had to wait until the next release. This one apparently didn’t make
> the cut. I respect the fact that the OpenSSL team has to conform to
> deadlines and schedules."

> "However, I’ve decided to publicly disclose this one because I think it’s
> not necessarily more secure to have vulnerable code running on servers for a
> month of more while attackers, if any (for this vulnerability), are not
> bound to release cycles and have the advantage of time."

So he's publicly disclosing this even though it's not patched in the latest
version, and he only notified the OpenSSL team less than a week ago? That's
irresponsible! There's room to debate how long you have to wait before
disclosing an unpatched vulnerability to the public, but I think we should all
agree it's longer than that.

~~~
cyphar
For serious vulnerabilities, most people (including Google IIRC) would agree
that 5 days is sufficient. More importantly, the fact that it wasn't scheduled
to be in today's fix means that we have to wait until the next release to get
this fix (which will take longer than a week). It's such a trivially
exploitable vulnerability that it should be treated as serious.

------
Bootvis
How would you exploit this? What can you gain if you're already able to supply
OpenSSL with a private key? Is there a way to supply or tamper with private
keys remotely?

~~~
duaneb
I imagine you could exploit neighbors—if, for instance, a load balancer serves
multiple clients and allows uploading private keys, this could allow snooping
their traffic AS a client.

------
X-Istence
No fix for this yet... great :/

