[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-1551/openssl triage

Hi Sylvain,

On 09/12/19 2:14 pm, Sylvain Beucler wrote:
Hi Utkarsh,

You wrote for CVE-2019-1551:
+    [jessie] - openssl <not-affected> (Only affects OpenSSL > 1.1.0-pre1)

However the advisory says:
"OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue."

So the status for 1.0.1 (jessie, wheezy) isn't clear.

Can you add more elements to your triage?

Sure thing.

Here's what lead to this commit:
- The upstream fix[1] provides a patch which is in the crypto/bn/asm/rsaz-x86_64.pl file.
- Going back to the git history of this file, it leads to this commit[2], where the RSAZ assembly modules were first added.
- The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1".
- Still to double check, I went to the release tag of the version in Jessie (that is, 1.0.1t), which leads to here[3].
- Checking the files in this release, there's no RSAZ assembly modules added here, which indeed confirms that the version in Jessie is actually not affected, since the affected modules were added in the later release.

Hope that makes sense?

P.S. Sent the same to the security team as well.

[1]: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
[2]: https://github.com/openssl/openssl/commit/0b4bb91db65697ab6d3a0fc05b140887cbce3080#diff-e55cf156f8579e17800742c38b325e07
[3]: https://github.com/openssl/openssl/releases/tag/OpenSSL_1_0_1t

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: