Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Mar 2010 10:33:17 +0000
From: Brian Stafford <brian@...fford.uklinux.net>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com, libesmtp@...fford.uklinux.net,
	security@...ntu.com, Pawel Salek <pawsa@...ochem.kth.se>,
	jskarvad@...hat.com
Subject: Re: CVE Request: libesmtp does not check NULL bytes
 in commonName

All

I've reviewed Ludwig's patch again in light of various issues in recent 
discussion.  I have attached a patch incorporating this and one further 
modification.

Since both the original and patched versions of match_component() 
implement wildcards rather less liberally than RFC 2818 implies, I 
decided to move towards the approach in the I-D.  match_component() now 
accepts either a string or a single wildcard '*'.  Matched characters 
are validated against the set of valid domain name component characters 
, that is, *.example.org will not match %.example.org, nor for that 
matter will the pattern %.example.org.  Question: should underline '_' 
be in the set of valid characters?

I have not altered the match_domain() algorithm so it will still accept 
a wildcard component in any position.  I have tested the modified match 
against a number of valid and invalid patterns and domain names and 
behaviour is as expected.

Other than that I reformatted the affected code through 'indent -gnu 
-bad' and twiddled things to bring things in line with the 'house style' 
and to stop code wandering of the right edge of the screen!

Regards
Brian

View attachment "smtp-tls.c.patch" of type "text/x-patch" (5638 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.