Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
openvpn.4990
0003-Fix-potential-double-free-in-x509-alt-user...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-Fix-potential-double-free-in-x509-alt-username-CVE-2.patch of Package openvpn.4990
From 1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad Mon Sep 17 00:00:00 2001 From: Steffan Karger <steffan.karger@fox-it.com> Date: Mon, 19 Jun 2017 11:28:40 +0200 Subject: [PATCH 3/5] Fix potential double-free in --x509-alt-username (CVE-2017-7521) We didn't check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory. The problem can only be triggered for configurations that use the --x509-alt-username option with an x509 extension (i.e. the option parameter starts with "ext:"). This issue was discovered, analysed and reported to the OpenVPN team by Guido Vranken. Extensive testing by Guido Vranken gives confidence that this function is very unlikely to fail in real-world usage (using subjectAltName or issuerAltName extensions) for other reasons than memory exhaustion. CVE: 2017-7521 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Guido Vranken <guidovranken@gmail.com> Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b) --- src/openvpn/ssl_verify_openssl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ba18e683..2a892747 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -138,7 +138,10 @@ bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) switch (name->type) { case GEN_EMAIL: - ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5); + if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) + { + continue; + } if ( strlen (buf) != name->d.ia5->length ) { msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); -- 2.13.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor