Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 22:10:35 +0200
From: Raphael Geissert <geissert@...ian.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE request: openssl: missing critical flag for extended key usage not always detected in time-stamp verification

Hi,

Quoting from [0]:
> "check_purpose_timestamp_sign()" in source file v3_purp.c [...] fails to
> detect a missing critical flag if the extensions of the TSA certificate
> are arranged in a specific order.

Could a CVE id be assigned for this?

The referenced commit fixes it "and to two other cases in the same file."

References:
[0]http://rt.openssl.org/Ticket/Display.html?id=3309&user=guest&pass=guest
[1]http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=300b9f0b704048f60776881f1d378c74d9c32fbd

Digging through history, the bug on TSA was introduced in 
[2]http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c7235be6e36c4bef84594aa3b2f0561db84b63d8
(Strangely tagged for 0.9.8l and 0.9.8k but none of the other versions of 
the 0.9.8 branch)

And the two others in:
[3]http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d9bfe4f97cd4244beb0598cc348d68b04dac7068
(going all the way back to 0.9.7)

Haven't checked if the meaning of the X509_get_ext_by_NID parameter changed 
at some point.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ