system/openssl: CVE-2020-1971: GENERAL_NAME_cmp NULL ptr dereference
Bugzilla ID | 393 |
Alias(es) | CVE-2020-1971 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-12-08 15:10:57 -0600 |
Modified | 2020-12-08 15:10:57 -0600 |
Status | UNCONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | system/openssl |
URL | https://www.openssl.org/news/secadv/20201208.txt |
Description
CVE-2020-1971: https://www.openssl.org/news/secadv/20201208.txt
The X.509 GeneralName type is a generic type for representing >
different types of names. One of those name types is known as
EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which
compares different instances of a GENERAL_NAME to see if they are
equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and
a crash may occur leading to a possible denial of service attack.
...
OpenSSL 1.1.1 users should upgrade to 1.1.1i.