Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Mon, 31 Aug 2009 18:06:30 +0200
From: Steffen Ullrich <Steffen_Ullrich@...ua.de>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

On Mon, Aug 31, 2009 at 05:23:53PM +0200, Tomas Hoger <thoger@...hat.com> wrote:
> On Sat, 29 Aug 2009 20:45:53 +0200 Steffen Ullrich
> <Steffen_Ullrich@...ua.de> wrote:
> 
> > - the feature to help checking the hostname against the certificate is fairly new
> 
> Introduced in 1.14, unless I'm mistaken:
> 
>   http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes
> 
> It may be good to have this listed in the CVE description.

yes, this is a good idea.
The version 1.14 was released 2008/07/16 and the necessary Net::SSLeay
version 1.34 (which is needed for this feature) was release 2008/07/24.

> Anyway, prefix requirement is another mitigation, as one may not be
> able to get valid certificate for a prefix of arbitrary host name
> (though it may be easier for TLDs as .com and .net via .co and .ne).
> 
> Speaking of prefixes, has anyone checked IO-Socket-SSL for
> CVE-2009-2408-like issues?  If there is an issues, should it get fixed
> in IO-Socket-SSL or in Net-SSLeay?

I did not check it yet.
If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL
is perl only and perl itself has no problems with strings containing \0.
>From the code in SSLeay.xs X509_get_subjectAltNames I would say, that
this part should be no problem, because it explicitly uses ASN1_STRING_length
to specify the length of the string. But I'm not sure about the use
of X509_get_subject_name where it magically converts an X509_NAME* into
a perl string.
I keep you updated once I've checked it.

Regards,
Steffen


-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ