diff options
author | Hugo Landau <hlandau@openssl.org> | 2023-01-17 17:45:42 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-02-07 17:02:47 +0100 |
commit | 84d85fcabd6d8f3740ad015bda329512630799df (patch) | |
tree | 51d2937b088af81792139df1cc51d75aea02629b | |
parent | de4e3868de2de12fb799a1cdbba87c44b61cf3e2 (diff) |
CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
-rw-r--r-- | CHANGES.md | 19 | ||||
-rw-r--r-- | crypto/x509/v3_genn.c | 2 | ||||
-rw-r--r-- | include/openssl/x509v3.h.in | 2 | ||||
-rw-r--r-- | test/v3nametest.c | 8 |
4 files changed, 29 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md index 2f5d1b6337..192c5c32ff 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -118,6 +118,24 @@ breaking changes, and mappings for the large list of deprecated functions. *Nicola Tuveri* + * Fixed a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an `ASN1_STRING` + but subsequently interpreted by `GENERAL_NAME_cmp` as an `ASN1_TYPE`. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary pointers + to a `memcmp` call, creating a possible read primitive, subject to some + constraints. Refer to the advisory for more information. Thanks to David + Benjamin for discovering this issue. ([CVE-2023-0286]) + + This issue has been fixed by changing the public header file definition of + `GENERAL_NAME` so that `x400Address` reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the `x400Address` field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + + *Hugo Landau* + ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022] * Fixed two buffer overflows in punycode decoding functions. @@ -19505,6 +19523,7 @@ ndif <!-- Links --> +[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c index c0a7166cd0..1741c2d2f6 100644 --- a/crypto/x509/v3_genn.c +++ b/crypto/x509/v3_genn.c @@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 455a997d06..96066884f8 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -157,7 +157,7 @@ typedef struct GENERAL_NAME_st { OTHERNAME *otherName; /* otherName */ ASN1_IA5STRING *rfc822Name; ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; + ASN1_STRING *x400Address; X509_NAME *directoryName; EDIPARTYNAME *ediPartyName; ASN1_IA5STRING *uniformResourceIdentifier; diff --git a/test/v3nametest.c b/test/v3nametest.c index 6d2e2f8e27..0341995dde 100644 --- a/test/v3nametest.c +++ b/test/v3nametest.c @@ -644,6 +644,14 @@ static struct gennamedata { 0xb7, 0x09, 0x02, 0x02 }, 15 + }, { + /* + * Regression test for CVE-2023-0286. + */ + { + 0xa3, 0x00 + }, + 2 } }; |