diff options
author | Hugo Landau <hlandau@openssl.org> | 2023-01-17 17:45:42 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2023-02-03 11:22:47 +0100 |
commit | 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 (patch) | |
tree | 75cc399a7975c2edc26157f15b9987f0b2035c79 /CHANGES | |
parent | f040f2577891d2bdb7610566c172233844cf673a (diff) |
CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 18 |
1 files changed, 17 insertions, 1 deletions
@@ -9,7 +9,23 @@ Changes between 1.1.1s and 1.1.1t [xx XXX xxxx] - *) + *) Fixed a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0286) + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + + [Hugo Landau] Changes between 1.1.1r and 1.1.1s [1 Nov 2022] |