Your submission was sent successfully! Close

CVE-2014-3508

Published: 07 August 2014

The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.

Priority

Medium

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.8zb,1.0.1i)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.0.1f-1ubuntu7)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.0.1f-1ubuntu7)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.5)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=03b04ddac162c7b7fa3c57eadccc5a583a00d291 (1.0.1)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=059230b3203b842beba856b7998e71f70e7e454e (bp 0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5e8e7054f76add84998f6133fb324116b4e811b9 (bp 0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=82a5049f6a45a273b8119721e593a285ad6e6408 (bp 0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b9a73f5481fb8d5aac535622759cb0f632f39914 (0.9.8)
openssl098
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.8zb)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)