Overview

File openssl-0013-point_double_internal.patch of Package openssl-3

Description: Fix CWE-457 (Use of Uninitialized Value) in point_double_internal
Issue: The stack variables a, b, c, d (finite field elements) are used in arithmetic macros (gf_add_nr -> gf_weak_reduce) before being initialized, leading to operations on junk data.

Index: openssl-3.6.0/crypto/ec/curve448/curve448.c
===================================================================
--- openssl-3.6.0.orig/crypto/ec/curve448/curve448.c
+++ openssl-3.6.0/crypto/ec/curve448/curve448.c
@@ -64,6 +64,11 @@ static void point_double_internal(curve4
 {
     gf a, b, c, d;
 
+    memset(a, 0, sizeof(gf));
+    memset(b, 0, sizeof(gf));
+    memset(c, 0, sizeof(gf));
+    memset(d, 0, sizeof(gf));
+
     ossl_gf_sqr(c, q->x);
     ossl_gf_sqr(a, q->y);
     gf_add_nr(d, c, a);         /* 2+e */
openSUSE Build Service is sponsored by
Places