Re: CVE-2019-1551/openssl triage
On 09/12/2019 10:13, Utkarsh Gupta wrote:
> Here's what lead to this commit:
> - The upstream fix provides a patch which is in the
> crypto/bn/asm/rsaz-x86_64.pl file.
> - Going back to the git history of this file, it leads to this
> commit, where the RSAZ assembly modules were first added.
> - The above commit has been tagged as "OpenSSL_1_1_0-pre1".
But the commit was cherry-picked to 1.0.2, and possibly other versions:
> - Still to double check, I went to the release tag of the version in
> Jessie (that is, 1.0.1t), which leads to here.
> - Checking the files in this release, there's no RSAZ assembly modules
> added here, which indeed confirms that the version in Jessie is
> actually not affected, since the affected modules were added in the
> later release.
So the reason is that the code is not present in 1.0.1t, not that it's
never present in < 1.1.0-pre1.