OpenSSL issues a bugfix for the previous bugfix

2022-06-24 18:32

If you're an OpenSSL user, you're probably aware of the most recent high-profile bugfix release, which came out back in March 2022.

Given the important "Teachable moments" revealed by this bug, we covered it in detail not only on Naked Security, where we explained how to write a better style of code, but also on Sophos News, where SophosLabs showed the gory details of how a booby-trapped certificate could trigger the flaw, and how to debug the code to understand the bug.

The next OpenSSL update was 3.0.3, or 1.1.1o for users of the previous release, which patched a bug that wasn't considered a major flaw, mainly because the bug wasn't in the OpenSSL encryption library code itself.

The command echo runthis literally prints the text runthis, but the command echo $(runthis) doesn't directly print out the characters $(runthis).

Argument treated literally, no metacharacters found $ echo runthis runthis # tries to execute 'runthis', but no such command exists $ echo $(runthis) -bash: runthis: command not found # runs two commands, collects output of both $ echo $(whoami; uname -s -r) duck Linux 5.18.6.

Below, you can see the code that was changed from 1.1.1n to 1.1.1o:. A Perl command of the form `...` command substitution) was replaced with a dedicated internal function called compute hash that takes greater care with weird metacharacters in the constructed command string.

News URL

https://nakedsecurity.sophos.com/2022/06/24/openssl-issues-a-bugfix-for-the-previous-bugfix/

#bugfix #openssl

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Openssl		2	12	92	51	16	171