[v2.6] openssl: race condition in the ssl3_read_bytes function in s3_pkt.c (CVE-2010-5298)
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
•MLIST:[oss-security] 20140412 Use-after-free race condition,in
OpenSSL’s read buffer
•URL: http://openwall.com/lists/oss-security/2014/04/13/1
•MISC:
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
•MISC:
https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest
•MISC:
https://rt.openssl.org/Ticket/Display.html?id=3265&user=guest&pass=guest
•CONFIRM:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004\_openssl.patch.sig
•CONFIRM:
http://svnweb.freebsd.org/ports/head/security/openssl/files/patch-ssl-s3\_pkt.c?revision=351191&view=markup
•OPENBSD:[5.5] 004: SECURITY FIX: April 12, 2014
•URL: http://www.openbsd.org/errata55.html\#004\_openssl
•BID:66801
•URL: http://www.securityfocus.com/bid/66801
(from redmine: issue id 2897, created on 2014-05-20, closed on 2014-05-21)
- Relations:
- parent #2895 (closed)
- Changesets:
- Revision 349a8dbc by Timo Teräs on 2014-05-21T09:31:53Z:
main/openssl: fix for CVE-2010-5298
fixes #2897
(cherry picked from commit 4456c9ec91d13627b3900075f8ac84ce97551679)