Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Aug 2009 18:06:30 +0200
From: Steffen Ullrich <Steffen_Ullrich@...ua.de>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug

On Mon, Aug 31, 2009 at 05:23:53PM +0200, Tomas Hoger <thoger@...hat.com> wrote:
> On Sat, 29 Aug 2009 20:45:53 +0200 Steffen Ullrich
> <Steffen_Ullrich@...ua.de> wrote:
> 
> > - the feature to help checking the hostname against the certificate is fairly new
> 
> Introduced in 1.14, unless I'm mistaken:
> 
>   http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes
> 
> It may be good to have this listed in the CVE description.

yes, this is a good idea.
The version 1.14 was released 2008/07/16 and the necessary Net::SSLeay
version 1.34 (which is needed for this feature) was release 2008/07/24.

> Anyway, prefix requirement is another mitigation, as one may not be
> able to get valid certificate for a prefix of arbitrary host name
> (though it may be easier for TLDs as .com and .net via .co and .ne).
> 
> Speaking of prefixes, has anyone checked IO-Socket-SSL for
> CVE-2009-2408-like issues?  If there is an issues, should it get fixed
> in IO-Socket-SSL or in Net-SSLeay?

I did not check it yet.
If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL
is perl only and perl itself has no problems with strings containing \0.
>From the code in SSLeay.xs X509_get_subjectAltNames I would say, that
this part should be no problem, because it explicitly uses ASN1_STRING_length
to specify the length of the string. But I'm not sure about the use
of X509_get_subject_name where it magically converts an X509_NAME* into
a perl string.
I keep you updated once I've checked it.

Regards,
Steffen


-- 
GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH
Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de
Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999

Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht München HRB 98238

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.