Security Vulnerability - Action Required: Overflow may in the newest version of the Logan #526
Comments
Crispy-fried-chicken
changed the title
|
PR一波?mbedtls是引过来的三方库,现在来看版本太老了,是不是升级一波就能修复了 |
Crispy-fried-chicken
added a commit
to Crispy-fried-chicken/Logan
that referenced
this issue
Aug 26, 2024
|
@Richard-Cao 我已经PR了,直接升级一波担心会有什么兼容性问题? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
您的项目中
Logan/mbedtls/library/x509_create.c文件下的mbedtls_x509_set_extension函数存在overflow的风险,如果在调用该函数时给val_len赋值为0xFFFFFFFF,就会造成内部溢出会导致分段错误。这和最近披露的CVE-2024-23775所述十分相似(https://github.com/Mbed-TLS/mbedtls/issues/8687)。考虑到其可能存在的潜在风险,我愿意配合您以负责任的方式及时核实、解决和报告发现的漏洞。 如果您需要任何进一步的信息或帮助,请随时与我联系。如果需要,我也可以提交PR帮助您修复。 谢谢您,期待尽快收到您的回复!
The text was updated successfully, but these errors were encountered: