Bulletproof TLS Newsletter #64
GCC code analyzer finds bug in OpenSSL
30 April 2020
Author: Hanno Böck

This issue was distributed to 54,360 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. GCC code analyzer finds bug in OpenSSL
  2. Short news

GCC code analyzer finds bug in OpenSSL

OpenSSL recently released a security update fixing a bug in the certificate validation code. The SSL_check_chain() function can crash due to a NULL pointer dereference when an invalid signature algorithm is detected. This bug could be used to crash OpenSSL-based servers. Only relatively recent versions of OpenSSL 1.1.1 are affected (1.1.1d through 1.1.1f); the OpenSSL team has released version 1.1.1g with a fix for the bug.

Of note about the bug is that it has been detected with a new static code analyzer tool introduced by GCC. This feature will be part of the upcoming version 10 of GCC and can be tested with a Git build of the current GCC code.

David Malcom, a Red Hat developer who has developed the feature, has explained its details in a blog post. The -fanalyzer flag in GCC 10 allows for finding common bug classes via the compiler, with a first focus on double-free bugs.

While the bug found shows that this is a powerful feature that can find real security bugs, a discussion in the OpenSSL bug tracker also indicates that -fanalyzer creates difficult-to-analyze false positives. A common property of static code analysis is that it can produce false positives, and it is a challenge to keep the false positive rate low enough that you avoid getting too many false alarms while at the same time keep the tool useful.

Short news