Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

[Steffen Ullrich <Steffen_Ullrich () genua de>]

On Mon, Aug 31, 2009 at 05:23:53PM +0200, Tomas Hoger <thoger () redhat com> wrote:
> On Sat, 29 Aug 2009 20:45:53 +0200 Steffen Ullrich
> <Steffen_Ullrich () genua de> wrote:
>
> > - the feature to help checking the hostname against the certificate is fairly new
>
> Introduced in 1.14, unless I'm mistaken:
>
>   http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes
>
> It may be good to have this listed in the CVE description.

yes, this is a good idea.
The version 1.14 was released 2008/07/16 and the necessary Net::SSLeay
version 1.34 (which is needed for this feature) was release 2008/07/24.

> Anyway, prefix requirement is another mitigation, as one may not be
> able to get valid certificate for a prefix of arbitrary host name
> (though it may be easier for TLDs as .com and .net via .co and .ne).
>
> Speaking of prefixes, has anyone checked IO-Socket-SSL for
> CVE-2009-2408-like issues?  If there is an issues, should it get fixed
> in IO-Socket-SSL or in Net-SSLeay?

I did not check it yet.
If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL
is perl only and perl itself has no problems with strings containing \0.
> From the code in SSLeay.xs X509_get_subjectAltNames I would say, that
this part should be no problem, because it explicitly uses ASN1_STRING_length
to specify the length of the string. But I'm not sure about the use
of X509_get_subject_name where it magically converts an X509_NAME* into
a perl string.
I keep you updated once I've checked it.

Regards,
Steffen


-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238