Full Disclosure mailing list archives

By Date By Thread New OpenSSL double-free and invalid free vulnerabilities in X509 parsing From: Guido Vranken <guidovranken () gmail com>

Date: Tue, 11 Oct 2016 19:18:00 +0200

These vulnerabilities were found in the latest OpenSSL (1.1.0b). Triggering these vulnerabilities is not trivial -- they rely on memory shortages (malloc/realloc failures) or failing to acquire a thread lock while the X509 data is being parsed. Possibly exploitation can be achieved by exploiting a memory leak/accumulation (such as the recently discovered CVE-2016-6304). Proof of concepts and more extensive commentary at the link below. https://github.com/guidovranken/openssl-x509-vulnerabilities _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: New OpenSSL double-free and invalid free vulnerabilities in X509 parsing Guido Vranken (Oct 12)