critical
10
CWE
119 1103
Advisory Published
CVE Published
Updated

CVE-2016-0799: Buffer Overflow

First published: Fri Feb 26 2016(Updated: )

As per Upstream advisory: The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an OOB memory location (at an offset from the NULL pointer) in the event of a memory allocation failure. In 1.0.2 and below this could be caused where the size of a buffer to be allocated is greater than INT_MAX. E.g. this could be in processing a very long "%s" format string. Memory leaks can also occur. These issues will only occur on certain platforms where sizeof(size_t) > sizeof(int). E.g. many 64 bit systems. The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificates etc received via remote connections via libssl are also unlikely to be able to trigger these issues because of message size limits enforced within libssl. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 23rd by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/openssl<0:1.0.1e-48.el6_8.1
0:1.0.1e-48.el6_8.1
redhat/openssl<0:1.0.1e-42.el6_7.5
0:1.0.1e-42.el6_7.5
redhat/openssl<1:1.0.1e-51.el7_2.5
1:1.0.1e-51.el7_2.5
redhat/openssl<1.0.1
1.0.1
redhat/openssl<1.0.2
1.0.2
OpenSSL OpenSSL=1.0.1
OpenSSL OpenSSL=1.0.1-beta1
OpenSSL OpenSSL=1.0.1-beta2
OpenSSL OpenSSL=1.0.1-beta3
OpenSSL OpenSSL=1.0.1a
OpenSSL OpenSSL=1.0.1b
OpenSSL OpenSSL=1.0.1c
OpenSSL OpenSSL=1.0.1d
OpenSSL OpenSSL=1.0.1e
OpenSSL OpenSSL=1.0.1f
OpenSSL OpenSSL=1.0.1g
OpenSSL OpenSSL=1.0.1h
OpenSSL OpenSSL=1.0.1i
OpenSSL OpenSSL=1.0.1j
OpenSSL OpenSSL=1.0.1k
OpenSSL OpenSSL=1.0.1l
OpenSSL OpenSSL=1.0.1m
OpenSSL OpenSSL=1.0.1n
OpenSSL OpenSSL=1.0.1o
OpenSSL OpenSSL=1.0.1p
OpenSSL OpenSSL=1.0.1q
OpenSSL OpenSSL=1.0.1r
OpenSSL OpenSSL=1.0.2
OpenSSL OpenSSL=1.0.2-beta1
OpenSSL OpenSSL=1.0.2-beta2
OpenSSL OpenSSL=1.0.2-beta3
OpenSSL OpenSSL=1.0.2a
OpenSSL OpenSSL=1.0.2b
OpenSSL OpenSSL=1.0.2c
OpenSSL OpenSSL=1.0.2d
OpenSSL OpenSSL=1.0.2e
OpenSSL OpenSSL=1.0.2f
Pulsesecure Client
Pulsesecure Client
Pulsesecure Steel Belted Radius
Advantech Spectre RT ERT351 firmware Versions 5.1.3 and prior

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203