CVE-2014-0195 is a buffer overflow
(https://www.openssl.org/news/secadv_20140605.txt):
A buffer overrun attack can be triggered
by sending invalid DTLS fragments to an
OpenSSL DTLS client or server. This is
potentially exploitable to run arbitrary code
on a vulnerable client or server.
I'm fairly certain that most (all?) Linux distros use stack guards by
default (via GCC spec file) and OpenSSL uses NX stacks.
Does that mean this RCE is a heap based overflow?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]