I'm trying to figure out if my openssl based applications are vulnerable to CVE 2009-3245
From: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3245 > OpenSSL before 0.9.8m does not check for a NULL return value from > bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) > crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) > engines/e_ubsec.c, which has unspecified impact and context-dependent > attack vectors. with the exception of bn_div.c (where the vulnerable call is in a disabled branch of the code) it looks like the vulnerability should mainly effect epileptic curve crypts (I'm not using engines). However when looking at the 0.9.8l code I can find calls to bn_wexpand() without return value check also in bn_mul.c So I'm curious to why bn_mul.c is not listed in the vulnerability report. Is it just a mistake or has someone deduced that it is impossible to exploit this vulnerability in bn_mul.c ? /Leif ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
