Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up
to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute
arbitrary code via a crafted packet that triggers a one-byte buffer
underflow. NOTE: this issue was introduced as a result of a fix for
CVE-2006-3738. As of 20071012, it is unknown whether code execution is
Moritz Jodeit discovered that OpenSSL's SSL_get_shared_ciphers function
did not correctly check the size of the buffer it was writing to.
A remote attacker could exploit this to write one NULL byte past the end of
an application's cipher list buffer, possibly leading to arbitrary code
execution or a denial of service.
Updated: 2015-10-17 03:28:38 UTC (commit 10086)