oss-sec mailing list archives

Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

From: Tomas Hoger <thoger () redhat com>
Date: Mon, 31 Aug 2009 19:38:40 +0200

On Mon, 31 Aug 2009 18:06:30 +0200 Steffen Ullrich
<Steffen_Ullrich () genua de> wrote:

Speaking of prefixes, has anyone checked IO-Socket-SSL for
CVE-2009-2408-like issues?  If there is an issues, should it get fixed
in IO-Socket-SSL or in Net-SSLeay?


I did not check it yet.
If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL
is perl only and perl itself has no problems with strings containing \0.
From the code in SSLeay.xs X509_get_subjectAltNames I would say, that
this part should be no problem, because it explicitly uses ASN1_STRING_length
to specify the length of the string. But I'm not sure about the use
of X509_get_subject_name where it magically converts an X509_NAME* into
a perl string.
I keep you updated once I've checked it.


I ran some test on Net-SSLeay-1.35 and IO-Socket-SSL-1.30 and
verify_hostname always returned error for NUL in both CN and SAN.

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
  - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
    - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steven M. Christey (Aug 31)