Date: Wed, 17 Mar 2010 10:33:17 +0000 From: Brian Stafford <brian@...fford.uklinux.net> To: Ludwig Nussel <ludwig.nussel@...e.de> Cc: oss-security@...ts.openwall.com, libesmtp@...fford.uklinux.net, security@...ntu.com, Pawel Salek <pawsa@...ochem.kth.se>, jskarvad@...hat.com Subject: Re: CVE Request: libesmtp does not check NULL bytes in commonName All I've reviewed Ludwig's patch again in light of various issues in recent discussion. I have attached a patch incorporating this and one further modification. Since both the original and patched versions of match_component() implement wildcards rather less liberally than RFC 2818 implies, I decided to move towards the approach in the I-D. match_component() now accepts either a string or a single wildcard '*'. Matched characters are validated against the set of valid domain name component characters , that is, *.example.org will not match %.example.org, nor for that matter will the pattern %.example.org. Question: should underline '_' be in the set of valid characters? I have not altered the match_domain() algorithm so it will still accept a wildcard component in any position. I have tested the modified match against a number of valid and invalid patterns and domain names and behaviour is as expected. Other than that I reformatted the affected code through 'indent -gnu -bad' and twiddled things to bring things in line with the 'house style' and to stop code wandering of the right edge of the screen! Regards Brian View attachment "smtp-tls.c.patch" of type "text/x-patch" (5638 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.