[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-1551/openssl triage

On 09/12/19 3:00 pm, Utkarsh Gupta wrote:
> Hi,
> On 09/12/19 2:48 pm, Sylvain Beucler wrote:
>> Hi,
>> On 09/12/2019 10:13, Utkarsh Gupta wrote:
>>> Here's what lead to this commit:
>>> - The upstream fix[1] provides a patch which is in the
>>> crypto/bn/asm/rsaz-x86_64.pl file.
>>> - Going back to the git history of this file, it leads to this
>>> commit[2], where the RSAZ assembly modules were first added.
>>> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1".
>> But the commit was cherry-picked to 1.0.2, and possibly other versions:
>> https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20
>>> - Still to double check, I went to the release tag of the version in
>>> Jessie (that is, 1.0.1t), which leads to here[3].
>>> - Checking the files in this release, there's no RSAZ assembly modules
>>> added here, which indeed confirms that the version in Jessie is
>>> actually not affected, since the affected modules were added in the
>>> later release.
>> So the reason is that the code is not present in 1.0.1t, not that it's
>> never present in < 1.1.0-pre1.
> Ah, I should've been clearer. They have an unusual way of releasing that
> rather confused me.

Most of the 1.0.2(x) releases were after 1.1.0-pre1.
Anyway, here's more clear summary (also on the tracker now):
Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL
1.0.2u-dev (Affected 1.0.2-1.0.2t).

> Thanks, indeed. I'll fix the note.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: