[Bug Report]: Patch for CVE-2018-9988 in reused component mbedtls-2.6.0 found by V1SCAN #120
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contact Details
[email protected]
What happened?
我通过使用V1SCAN(一个扫描存在于复用代码中1-Day漏洞的工具),发现您的项目中
Huawei_LiteOS/components/security/mbedtls/mbedtls-2.6.0/library/ssl_cli.c文件中的ssl_parse_server_key_exchange函数可能存在类型为CWE-125 OOB的漏洞,相关触发逻辑类似GHSA-h9j8-4v77-hmr3, 具体参考链接如下:CVE-2018-9988:
NVD说明链接:
https://nvd.nist.gov/vuln/detail/CVE-2018-9988
commit修复链接:
Mbed-TLS/mbedtls@027f84c