Ivan D Nestlerode via RT wrote: > I sent this to openssl-dev previously, but I think it got lost in > the noise there (since it didn't go through rt). > > In OpenSSL 0.9.6h, there are a couple of BN_init() bugs in > crypto/dsa/dsa_ossl.c. The BN_init() calls in question are in the functions: > dsa_do_sign() (lines 113-114) > dsa_sign_setup() (line 187) > dsa_do_verify() (lines 239-241) > > In all cases, the BN_init() calls need to be moved before the first > if statement (so that they are the first functions executed). As written, > if you goto the err label before doing the BN_init() call you could cause > a crash when you attempt to free a garbage pointer. > > The same bugs exist in 0.9.7 but on slightly different line numbers.
The same bug is in the ecdsa code in 0.9.8-dev (see attached patch for the latest snapshot (== openssl-SNAP-20030114.tar.gz)). Regards, Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]