Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Jun 2010 13:25:03 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE Request: w3m does not check null bytes CN/subjAltName

Hi,

Yet another occurrence of CVE-2009-2408, this time in w3m. I tried
contacting the w3m developers listed on sourceforge but got no
response. In the default configuration the missing null checks don't
make the situation worse though as w3m doesn't verify certificates
by default ('ssl_verify_server' is off by default). Attached two
patches turn on 'ssl_verify_server' and fix the null handling.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

verify SSL certificates by default. SSL support really is pointless without doing that.
Also disable use of SSLv2 by default as it's insecure, deprecated, dead since last century.
Index: w3m-0.5.2/fm.h
===================================================================
--- w3m-0.5.2.orig/fm.h
+++ w3m-0.5.2/fm.h
@@ -1120,7 +1120,7 @@ global int view_unseenobject init(TRUE);
 #endif
 
 #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
-global int ssl_verify_server init(FALSE);
+global int ssl_verify_server init(TRUE);
 global char *ssl_cert_file init(NULL);
 global char *ssl_key_file init(NULL);
 global char *ssl_ca_path init(NULL);
@@ -1129,7 +1129,7 @@ global int ssl_path_modified init(FALSE)
 #endif				/* defined(USE_SSL) &&
 				 * defined(USE_SSL_VERIFY) */
 #ifdef USE_SSL
-global char *ssl_forbid_method init(NULL);
+global char *ssl_forbid_method init("2");
 #endif
 
 global int is_redisplay init(FALSE);

Index: w3m-0.5.2/istream.c
===================================================================
--- w3m-0.5.2.orig/istream.c
+++ w3m-0.5.2/istream.c
@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos
 
 		    if (!seen_dnsname)
 			seen_dnsname = Strnew();
+		    /* replace \0 to make full string visible to user */
+		    if (sl != strlen(sn)) {
+			int i;
+			for (i = 0; i < sl; ++i) {
+			    if (!sn[i])
+				sn[i] = '!';
+			}
+		    }
 		    Strcat_m_charp(seen_dnsname, sn, " ", NULL);
-		    if (ssl_match_cert_ident(sn, sl, hostname))
+		    if (sl == strlen(sn) /* catch \0 in SAN */
+			&& ssl_match_cert_ident(sn, sl, hostname))
 			break;
 		}
 	    }
@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos
     if (match_ident == FALSE && ret == NULL) {
 	X509_NAME *xn;
 	char buf[2048];
+	int slen;
 
 	xn = X509_get_subject_name(x);
 
-	if (X509_NAME_get_text_by_NID(xn, NID_commonName,
-				      buf, sizeof(buf)) == -1)
+	slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
+	if ( slen == -1)
 	    /* FIXME: gettextize? */
 	    ret = Strnew_charp("Unable to get common name from peer cert");
-	else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
+	else if (slen != strlen(buf)
+		|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
+	    /* replace \0 to make full string visible to user */
+	    if (slen != strlen(buf)) {
+		int i;
+		for (i = 0; i < slen; ++i) {
+		    if (!buf[i])
+			buf[i] = '!';
+		}
+	    }
 	    /* FIXME: gettextize? */
 	    ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
+	}
 	else
 	    match_ident = TRUE;
     }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ