Re: CVE-2019-1551/openssl triage

To: debian-lts@lists.debian.org
Subject: Re: CVE-2019-1551/openssl triage
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 9 Dec 2019 10:18:22 +0100
Message-id: <[🔎] 5e5bc247-8809-5980-58d4-46851e7aa0c7@beuc.net>
In-reply-to: <[🔎] 3223a064-7676-d8a0-f7b6-caa4a8387505@gmail.com>
References: <[🔎] 45b87aa9-da09-06dc-c2c2-259ee214f7bd@beuc.net> <[🔎] 3223a064-7676-d8a0-f7b6-caa4a8387505@gmail.com>

Hi,

On 09/12/2019 10:13, Utkarsh Gupta wrote:
> Here's what lead to this commit:
>
> - The upstream fix[1] provides a patch which is in the
> crypto/bn/asm/rsaz-x86_64.pl file.
> - Going back to the git history of this file, it leads to this
> commit[2], where the RSAZ assembly modules were first added.
> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1".
>
But the commit was cherry-picked to 1.0.2, and possibly other versions:
https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20
>
> - Still to double check, I went to the release tag of the version in
> Jessie (that is, 1.0.1t), which leads to here[3].
> - Checking the files in this release, there's no RSAZ assembly modules
> added here, which indeed confirms that the version in Jessie is
> actually not affected, since the affected modules were added in the
> later release.
>
So the reason is that the code is not present in 1.0.1t, not that it's
never present in < 1.1.0-pre1.

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: CVE-2019-1551/openssl triage
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

References:
- CVE-2019-1551/openssl triage
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: CVE-2019-1551/openssl triage
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Re: CVE-2019-1551/openssl triage
Next by Date: Re: CVE-2019-1551/openssl triage
Previous by thread: Re: CVE-2019-1551/openssl triage
Next by thread: Re: CVE-2019-1551/openssl triage
Index(es):
- Date
- Thread