As reported elsewhere (http://seclists.org/oss-sec/2015/q4/87 via http://www.opennet.ru/43146), both of these errors were introduced as part of the refactoring.
Quick glance through http://bxr.su/o/lib/libssl/src/crypto/objects/obj_dat.c#OBJ_obj2txt indicates that the memory leak issue was introduced when a block scope variable within an if condition within a while loop was moved to function scope instead: http://cvsweb.allbsd.org/cvsweb.cgi/src/lib/libssl/src/crypto/objects/obj_dat.c?cvsroot=openbsd#rev1.25 http://cvsweb.allbsd.org/cvsweb.cgi/src/lib/libssl/src/crypto/objects/obj_dat.c.diff?cvsroot=openbsd&r2=1.25&r1=1.24&f=H May I ask whether after this error, is it still frowned upon declaring block scope variables? How did this get past the review? I think it is perhaps time to embrace block scoping as a technique that helps avoid errors like this. br, cnst.su. On 15 October 2015 at 17:29, Ted Unangst <t...@tedunangst.com> wrote: > The OBJ_obj2txt function in libcrypto contains a one byte buffer overrun > and memory leak, as reported by Qualys Security. This can be abused by an > attacker to cause a denial of service in some cases. > > Patches are now available for OpenBSD as well as new releases of LibreSSL > portable. 5.6, 5.7, and 5.8 are affected, as well as all releases of LibreSSL. > > Note that in addition to the instructions to rebuild libcrypto in the patch, > some binaries may link statically with libcrypto (isakmpd, iked, ...) and need > rebuilding as well. And services restarted. > > OpenBSD patches: > http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/033_obj2txt.patch.sig > http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/019_obj2txt.patch.sig > http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig > > LibreSSL releases: > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.0.6.tar.gz > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.1.8.tar.gz > http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.4.tar.gz > > There will be a libressl-2.3.1 release coming, but as a reminder it's still a > development branch. (The OpenBSD patches should apply to 2.3.0 as well.) > > With the release of OpenBSD 5.8 in a few days, 5.6 will be officially retired > from support, and along with it LibreSSL 2.0. Hopefully, this will be the last > release in that line. > -- В. В. Путин о совершенстве, 24 декабря 2000 года: Если человека все устраивает, то он полный идиот. Здорового человека в нормальной памяти не может всегда и всё устраивать.