Adding CTurt to see if he wants to take a stab at writing a PoC exploit. It'd be cool for an offensive researcher to determine if it's simply a DoS. But regardless, a security fix is a security fix. All currently-supported branches really should be updated.
Thanks, Shawn On Mon, Aug 01, 2016 at 04:41:02PM -0700, Conrad Meyer wrote: > Hey Shawn, > > I don't think this is security-related despite being a bug in > crypto-adjacent code. At best it's a DoS, I think. > > Cheers, > Conrad > > On Mon, Aug 1, 2016 at 4:15 PM, Shawn Webb <shawn.w...@hardenedbsd.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > > > > > On August 1, 2016 6:57:03 PM EDT, "Conrad E. Meyer" <c...@freebsd.org> > > wrote: > >>Author: cem > >>Date: Mon Aug 1 22:57:03 2016 > >>New Revision: 303650 > >>URL: https://svnweb.freebsd.org/changeset/base/303650 > >> > >>Log: > >> opencrypto AES-ICM: Fix heap corruption typo > >> > >>This error looks like it was a simple copy-paste typo in the original > >>commit > >> for this code (r275732). > >> > >> PR: 204009 > >> Reported by: Chang-Hsien Tsai <luke.tw AT gmail.com> > >> Sponsored by: EMC / Isilon Storage > > > > Since cem@ refuses to MFC even security fixes, can someone with a commit > > bit please MFC this within normal security-related MFC timeframe? > > Additionally, does a security advisory need to be sent out? CC'ing secteam@. > > > > Thanks, > > > > Shawn > > > > - -- > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > -----BEGIN PGP SIGNATURE----- > > Version: APG v1.1.1 > > > > iQI/BAEBCgApBQJXn9ggIhxTaGF3biBXZWJiIDxzaGF3bkBzaGF3bndlYmIuaW5m > > bz4ACgkQaoRlj1JFbu4Ypg//XLLOHX3y5ULHSEqEQ6tgUjQiR+9ADYKX1Zza3ghI > > FsHEr7O8yi31jb8EJ9+oOiZOHxjAfLP+ezwNoa9xRUQu0IoTcCLU6PzCzHv2viaa > > UZ+ae5xbB48i89o2ZshGTKgtwAzkCOhNkvPaAmS2yu14Xg+2CbhY2mCR+qdnAnMS > > cUU4dTsqTI+cHQoE2ehzDst/ABSaBZa2XZKxFp3EeTb3r2bNAvh72zMv6ethU8Ht > > 5VE7ZyRfQBpObZVcmSy6Sg8+vyjTRE4pdiajSqs3kIitPvxljwukMQ6DcdHCnJPx > > IlOTXnM1wd7iHSwNTP8jniemOR4QrrQ3fEwglsnjp2t45ZnWi46LhfoekOinX42v > > x7f+XWhcw0/oCF34q0rQ/YxFr0OcammmPMqjYKy7dlk2H6FSk9jnqh19lXu+qZP6 > > UzlUS+IHHn7o0OaV9Tflsey7/24hFjEVAHFKZxsG7VzKaSjri6aJ8p2Mr2D1o1os > > rEMF15pV2d9l7tIFN0FigqmffZswpTbk+uNNHc8rg+Tq7QV1fhceTgLLXRfqlpq8 > > ES/Y3Epr22KCCEhftQw3fqC1XpOpn5CUc3svJx7llXWYc/c7RdxGDNSujFF3IARk > > 741mx0N/ZkrcXZ/u/zk5+gMmS7NxhQXNk3QueRTIlqZv7e9GdlaYAPMZxQZKQKm3 > > +YQ= > > =B3c1 > > -----END PGP SIGNATURE----- > > > > -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature
