creating SRP file crashes openssl
Bug #1551274 reported by
Muelli
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
the following, with "test", "test" as passwords, make openssl crash:
touch passwd.srpv ; openssl srp -srpvfile passwd.srpv -add user
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssl 1.0.2f-2ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-4-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: GNOME
Date: Mon Feb 29 16:15:20 2016
InstallationDate: Installed on 2015-12-02 (89 days ago)
InstallationMedia: Ubuntu-GNOME 16.04 LTS "Xenial Xerus" - Alpha amd64 (20151027)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in openssl (Ubuntu): | |
importance: | Undecided → High |
To post a comment you must log in.
The following patch helps me
--- openssl- 1.0.2f/ crypto/ srp/srp_ vfy.c 2016-01-28 14:38:31.000000000 +0100 1.0.2f- patched/ crypto/ srp/srp_ vfy.c 2016-03-02 12:18:01.320339059 +0100
BN_free( N_bn);
BN_free( g_bn); clear_free( s); clear_free( v);
+++ openssl-
@@ -588,8 +588,12 @@
}
- OPENSSL_cleanse(vf, vfsize);
- OPENSSL_free(vf);
+
+ if (vf) {
+ OPENSSL_cleanse(vf, vfsize);
+ OPENSSL_free(vf);
+ }
+
BN_
BN_
return result;
note that it seems to be fixed in more recent openssl versions.