oss-sec mailing list archives

Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass

From: Tomas Hoger <thoger () redhat com>
Date: Wed, 5 Aug 2009 22:05:15 +0200

Hi Matthias!

On Wed, 05 Aug 2009 18:55:39 +0200 "Matthias Andree"
<matthias.andree () gmx de> wrote:

FWIW, I haven't yet tested if this works for NUL in subjectAltNames,
as I currently don't know how to generate such a certificate (can be  
self-signed) without writing major amounts of code.

If someone has a certificate that has embedded NULs in
subjectAltNames that I can use for testing, please send it along
together with its key so that I can check the fix also works in that
code path.


I managed to build these, that may be helpful during the testing:

  http://people.redhat.com/thoger/certs-with-nuls/

Let me know if anything needed is missing there.

HTH

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
- Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
  - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
    - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Steven M. Christey (Aug 05)
    - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
    - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Matthias Andree (Aug 05)
    - Re: "umbrella" CVE names (was: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass) Matthias Andree (Aug 21)
    - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Tomas Hoger (Aug 05)
  - Re: CVE request: fetchmail <= 6.3.10 SSL certificate NUL prefix verification bypass Henri Salo (Aug 05)