review.tizen.org Git - platform/upstream/nodejs.git/commit

author	jaekuk, lee <juku1999@samsung.com>
	Mon, 12 Jun 2017 04:34:26 +0000 (13:34 +0900)
committer	jaekuk lee <juku1999@samsung.com>
	Mon, 12 Jun 2017 04:35:32 +0000 (04:35 +0000)
commit	c10f6c55adc067d6863f4266691a9a9bd6b15674
tree	4ad770cdc91e61ba8a396a971ce8632bd5f7495f	tree \| snapshot
parent	d39ce0a95b4874f3806c49689da955f5743f74fd	commit \| diff

Avoid overflow in EVP_EncodeUpdate

https://nvd.nist.gov/vuln/detail/CVE-2016-2105

https://git.openssl.org/?p=openssl.git;a=commit;h=5b814481f3573fa9677f3a31ee51322e2a22ee6a
An overflow can occur in the EVP_EncodeUpdate function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption. Due to the very large amounts of data involved this will most
likely result in a crash.
Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes
data from an untrusted source and outputs it as a PEM file should be
considered vulnerable to this issue.
User applications that call these APIs directly with large amounts of
untrusted data may also be vulnerable.
Issue reported by Guido Vranken.
CVE-2016-2105

Change-Id: Ie90201c3ac5c6203583620c5843d2cd896a69955
Signed-off-by: jaekuk, lee <juku1999@samsung.com>