oss-sec mailing list archives
Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 31 Aug 2009 19:38:40 +0200
On Mon, 31 Aug 2009 18:06:30 +0200 Steffen Ullrich <Steffen_Ullrich () genua de> wrote:
Speaking of prefixes, has anyone checked IO-Socket-SSL for CVE-2009-2408-like issues? If there is an issues, should it get fixed in IO-Socket-SSL or in Net-SSLeay?I did not check it yet. If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL is perl only and perl itself has no problems with strings containing \0. From the code in SSLeay.xs X509_get_subjectAltNames I would say, that this part should be no problem, because it explicitly uses ASN1_STRING_length to specify the length of the string. But I'm not sure about the use of X509_get_subject_name where it magically converts an X509_NAME* into a perl string. I keep you updated once I've checked it.
I ran some test on Net-SSLeay-1.35 and IO-Socket-SSL-1.30 and verify_hostname always returned error for NUL in both CN and SAN. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)