oss-sec mailing list archives
Re: CVE Request: libesmtp does not check NULL bytes in commonName
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 10 Mar 2010 17:01:04 +0100
Jan Lieskovsky wrote:
From what I can tell, two should be enough: a, libESMTP doesn't properly handle NULL character in Common Name
I've created the attached patch to fix that problem
b, libESMTP's match_component() accepts two strings as equal if they start equal but don't have equal length => cert forgery
The attached patch includes the patch from Debian. However, the match_domain() function probably should be rewritten anyways I guess. It matches patters such as 'foo.bar.*' which is rather weird. libESMTP also uses the Common Name as fallback even if a dNSName in subjectAltName is present but doesn't match. The Common Name should be ignored in that case according to RFC2818. The code to perform the checks is quite complicated with openSSL and I'm not an expert so I'd be glad if someone could review the patch. This really belongs into a library ... cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Attachment:
libesmtp-1.0.4-ssl.diff
Description:
Current thread:
- CVE Request: libesmtp does not check NULL bytes in commonName Kees Cook (Mar 03)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Jan Lieskovsky (Mar 09)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 15)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 10)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Jan Lieskovsky (Mar 09)