openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) (#12196) · Issues · alpine / aports

openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.(Affected 1.1.1-1.1.1h)

Fixed In Version:

openssl 1.1.1i

Reference:

https://www.openssl.org/news/secadv/20201208.txt

Affected branches:

master (79714855)
3.12-stable (9e04b0fd)
3.11-stable
3.10-stable

Edited Dec 15, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information