Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 09 Mar 2010 19:00:57 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>, Kees Cook <kees@...ntu.com>
CC: Brian Stafford <brian@...fford.uklinux.net>,
        oss-security <oss-security@...ts.openwall.com>,
        libesmtp@...fford.uklinux.net, security@...ntu.com
Subject: Re: CVE Request: libesmtp does not check NULL bytes
 in commonName

Hi Steve,

Kees Cook wrote:
> Hello,
> 
> I just noticed that libesmtp does not appear to handle NULL-byte CNs, as
> seen with the original browser-based issue:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
> 
> Related to this are failures in wildcard handling:
>  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
> and CN-specificity:
>  https://bugzilla.redhat.com/show_bug.cgi?id=510202
> 
> Though it may be a non-issue if TLS doesn't function at all:
>  http://bugs.gentoo.org/213066

   any progress while assigning CVE ids for these issues?

   From what I can tell, two should be enough:
   a, libESMTP doesn't properly handle NULL character in Common Name

     References:
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
       http://ioactive.com/pdfs/PKILayerCake.pdf (issue 2c)

   b, libESMTP's match_component() accepts two strings as equal
      if they start equal but don't have equal length => cert forgery

     References:
       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

   Kees, please correct me, if I omitted something.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> -Kees
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ