Hi, I'm running a 0.9.8g version of the OpenSSL to verify some data.
I received an email related to a vulnerability of OpenSSL, basically says: "A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1_d2i_read_bio." ... "Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp." I performed a search in our source code and I can't found any "d2i_*_bio","d2i_*_fp", "d2i_X509_bio" and "d2i_PKCS12_fp." Also can't found any call to "asn1_d2i_read_bio"... Our code uses a BIO_read functions, do we fall in this vulnerability? Best Regards.. -- View this message in context: http://old.nabble.com/ASN1-BIO-vulnerability-%28CVE-2012-2110%29-tp33732623p33732623.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
