oss-sec mailing list archives
Re: CVE Request: libesmtp does not check NULL bytes in commonName
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 30 Mar 2010 16:34:35 -0400 (EDT)
On Wed, 3 Mar 2010, Kees Cook wrote:
I just noticed that libesmtp does not appear to handle NULL-byte CNs, as seen with the original browser-based issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
Use CVE-2010-1192
Related to this are failures in wildcard handling: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
Use CVE-2010-1194I'm guessing that upstream 1.0.4 and earlier are affected by both problems.
- Steve
Current thread:
- Re: CVE Request: libesmtp does not check NULL bytes in commonName, (continued)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Brian Stafford (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName ArkanoiD (Mar 17)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Joe Orton (Mar 16)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Geoff Keating (Mar 11)
- Re: CVE Request: libesmtp does not check NULL bytes in commonName Joe Orton (Mar 11)