oss-sec mailing list archives
Re: CVE Request(s): libgcrypt
From: Joshua Rogers <oss () internot info>
Date: Tue, 30 Dec 2014 08:02:22 +1100
On 30/12/14 07:46, Florian Weimer wrote:
The patch seems incorrect because the copy of the pointer in the caller is not updated when first free happens. The error can only happen on a path with an allocation failure, right?
Yes, when the allocation fails. _gcry_hmac256_finalize frees 'hd' before it returns NULL, then frees it again. Actually, the patch is incorrect. There is no 'if' hd is freed on the return of NULL, as it is always freed upon the return of NULL.
off-by-one out-of-bounds read: http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.htmlThis doesn't look like a security issue because the callers all use in-range values.
I was actually unsure of this one. I'm waiting for a libgcrypt developer to comment on it. Thanks, -- -- Joshua Rogers <https://internot.info/>
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request(s): libgcrypt Joshua Rogers (Dec 29)
- Re: CVE Request(s): libgcrypt Florian Weimer (Dec 29)
- Re: CVE Request(s): libgcrypt Joshua Rogers (Dec 29)
- Re: CVE Request(s): libgcrypt Florian Weimer (Dec 29)