)]}' { "commit": "01e8e625ad83cc9a07288bd4dc285bd8b0ccd550", "tree": "b234f65d2b92eb8e338e4ba8153a2fe870c8c6e9", "parents": [ "f1af129fb4ddb44bfd1c4aeaa5e07676c43faf28" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Tue Aug 14 19:09:07 2018 -0500" }, "committer": { "name": "Adam Langley", "email": "agl@google.com", "time": "Thu Aug 16 15:33:43 2018 +0000" }, "message": "Don\u0027t allow RC4 in PEM.\n\nThis fixes uninitialized memory read reported by Nick Mathewson in\nhttps://github.com/openssl/openssl/issues/6347.\n\nIt imports the memset from upstream\u0027s 2c739f72e5236a8e0c351c00047c77083dcdb77f,\nbut I believe that fix is incorrect and instead RC4 shouldn\u0027t be allowed in\nthis context. See\nhttps://github.com/openssl/openssl/pull/6603#issuecomment-413066462 for\ndetails.\n\nUpdate-Note: Decoding a password-protected PEM block with RC4 will, rather than\nderive garbage from uninitialized memory, simply fail. Trying to encode a\npassword-protect PEM block with an unsupported cipher will also fail, rather\nthan output garbage (e.g. tag-less AES-GCM).\n\nChange-Id: Ib7e23dbf5514f0a523730926daad3c0bdb989417\nReviewed-on: https://boringssl-review.googlesource.com/31084\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "5f6e327e9285448f29b781b74da4d243a07625df", "old_mode": 33188, "old_path": "crypto/CMakeLists.txt", "new_id": "2684750e16f37d694926c843b531941e711e00d9", "new_mode": 33188, "new_path": "crypto/CMakeLists.txt" }, { "type": "modify", "old_id": "8f89096131a6da43d7d2a6fc26bcccbcdd583bbe", "old_mode": 33188, "old_path": "crypto/pem/pem_lib.c", "new_id": "5180e55d0fa93a7704ed20b9876fcc250db54b88", "new_mode": 33188, "new_path": "crypto/pem/pem_lib.c" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "aed523cd8123b253237e068b39e77b4a298397d8", "new_mode": 33188, "new_path": "crypto/pem/pem_test.cc" } ] }