[v2.3] openssl: ASN1 BIO vulnerability (CVE-2012-2110)
A potentially exploitable vulnerability has been discovered in the
Any application which uses BIO or FILE based functions to read untrusted
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.
Applications using the memory based ASN1 functions (d2i_X509,
are not affected. In particular the SSL/TLS code of OpenSSL is not affected.
Applications only using the PEM routines are not affected.
S/MIME or CMS applications using the built in MIME parser
SMIME_read_CMS are affected.
The OpenSSL command line utility is also affected if used to process
data in DER format.
Note: although an application using the SSL/TLS portions of OpenSSL is
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
to Adam Langley <firstname.lastname@example.org>for fixing it.
Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.
URL for this Security Advisory:
(from redmine: issue id 1108, created on 2012-04-20, closed on 2012-05-07)