https://bugzilla.novell.com/show_bug.cgi?id=890510 https://bugzilla.novell.com/show_bug.cgi?id=890510#c0 Summary: serf handling of NUL bytes in fields of an X.509 cert Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Andreas.Stieger@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0
Deal with NUL bytes in fields of an X.509 cert.
* buckets/ssl_buckets.c: (pstrdup_escape_nul_bytes, get_subject_alt_names, validate_cert_hostname): New functions. (validate_server_certificate): Use validate_cert_hostname() to return SERF_SSL_CERT_INVALID_HOST if CommonName or SubjectAltNames include a NUL byte. (convert_X509_NAME_to_table): Use pstrdup_escape_nul_bytes() to escape NUL bytes before adding fields to the hash table. (serf_ssl_cert_certificate): Replace some code with a call to get_subject_alt_names() where we factored out the code to.
* serf_bucket_types.h (SERF_SSL_CERT_INVALID_HOST): New error.
Reads like this may similar to CVE-2009-2408, e.g. \0 bytes in certificates would allow MITM attacks. CWE-297?
openssl x509 -in test/certs/servercert_cnsan_nul.pem -text -noout [...] Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.example.net\x00.example.com [...]
Change will be part of serf 1.3.7 scheduled for 2014-08-11. openSUSE 13.1: libserf-1-1 (serf) 1.3.6 openSUSE 12.3: libserf-1-0 (serf) 1.1.1 Reproducible: Didn't try -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.