Hi guys,

I'm not very sure this is the right place to start this topic, but apparently there's been a new PolarSSL CVE that permits execution of malicious code. "PolarSSL versions starting with 1.0 and up to the PolarSSL 1.3.9 and PolarSSL 1.2.12 are affected by a remote attack in some configurations."

The fix is a one-line addition to asn1parse.c:
========================================================
diff --git a/library/asn1parse.c b/library/asn1parse.c
index a3a2b56..e2117bf 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char **p,
             if( cur->next == NULL )
                 return( POLARSSL_ERR_ASN1_MALLOC_FAILED );

+            memset( cur->next, 0, sizeof( asn1_sequence ) );
+
             cur = cur->next;
         }
     }
========================================================

According to downloads.openwrt.org, the current version of the PolarSSL library is version 1.3.8, if I'm not mistaking (http://downloads.openwrt.org/barrier_br … ar71xx.ipk). So my question is basically, can this library be updated please?

Source: https://polarssl.org/tech-updates/secur … ry-2014-04