Wind River Support Network

HomeDefectsLIN5-21425
Fixed

LIN5-21425 : Security Advisory - OpenSSL - CVE-2016-2109

Created: May 3, 2016    Updated: May 29, 2018
Resolved Date: May 4, 2016
Found In Version: 5.0.1.35
Fix Version: 5.0.1.36
Severity: Standard
Applicable for: Wind River Linux 5
Component/s: Userspace

Description

ASN.1 BIO excessive memory allocation (CVE-2016-2109)
=====================================================

Severity: Low

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.

Any application parsing untrusted data through d2i BIO functions is affected.
The memory based functions such as d2i_X509() are *not* affected. Since the
memory based functions are used by the TLS library, TLS applications are not
affected.

This issue was reported to OpenSSL on 4th April 2016 by Brian Carpenter.
The fix was developed by Stephen Henson of the OpenSSL development team.

Other Downloads


Live chat
Online