Debian Bug report logs -
#1061582
openssl: CVE-2024-0727
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1061582; Package src:openssl.
(Fri, 26 Jan 2024 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Fri, 26 Jan 2024 21:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openssl
Version: 3.1.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for openssl.
CVE-2024-0727[0]:
| Issue summary: Processing a maliciously formatted PKCS12 file may
| lead OpenSSL to crash leading to a potential Denial of Service
| attack Impact summary: Applications loading files in the PKCS12
| format from untrusted sources might terminate abruptly. A file in
| PKCS12 format can contain certificates and keys and may come from an
| untrusted source. The PKCS12 specification allows certain fields to
| be NULL, but OpenSSL does not correctly check for this case. This
| can lead to a NULL pointer dereference that results in OpenSSL
| crashing. If an application processes PKCS12 files from an untrusted
| source using the OpenSSL APIs then that application will be
| vulnerable to this issue. OpenSSL APIs that are vulnerable to this
| are: PKCS12_parse(), PKCS12_unpack_p7data(),
| PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and
| PKCS12_newpass(). We have also fixed a similar issue in
| SMIME_write_PKCS7(). However since this function is related to
| writing data we do not consider it security significant. The FIPS
| modules in 3.2, 3.1 and 3.0 are not affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0727
https://www.cve.org/CVERecord?id=CVE-2024-0727
[1] https://www.openssl.org/news/secadv/20240125.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 27 08:21:26 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon