[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-1551/openssl triage


On 09/12/19 2:48 pm, Sylvain Beucler wrote:
> Hi,
> On 09/12/2019 10:13, Utkarsh Gupta wrote:
>> Here's what lead to this commit:
>> - The upstream fix[1] provides a patch which is in the
>> crypto/bn/asm/rsaz-x86_64.pl file.
>> - Going back to the git history of this file, it leads to this
>> commit[2], where the RSAZ assembly modules were first added.
>> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1".
> But the commit was cherry-picked to 1.0.2, and possibly other versions:
> https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20
>> - Still to double check, I went to the release tag of the version in
>> Jessie (that is, 1.0.1t), which leads to here[3].
>> - Checking the files in this release, there's no RSAZ assembly modules
>> added here, which indeed confirms that the version in Jessie is
>> actually not affected, since the affected modules were added in the
>> later release.
> So the reason is that the code is not present in 1.0.1t, not that it's
> never present in < 1.1.0-pre1.

Ah, I should've been clearer. They have an unusual way of releasing that
rather confused me.
Thanks, indeed. I'll fix the note.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: