From 4d72c44be29d5fce5a29a0627277f0943a782481 Mon Sep 17 00:00:00 2001 From: cperciva Date: Wed, 22 Apr 2009 14:07:14 +0000 Subject: [PATCH] Don't leak information via uninitialized space in db(3) records. [09:07] Sanity-check string lengths in order to stop OpenSSL crashing when printing corrupt BMPString or UniversalString objects. [09:08] Security: FreeBSD-SA-09:07.libc Security: FreeBSD-SA-09:08.openssl Security: CVE-2009-0590 Approved by: re (kensmith) Approved by: so (cperciva) git-svn-id: svn://svn.freebsd.org/base/releng/7.2@191381 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 7 +++++++ crypto/openssl/crypto/asn1/asn1.h | 2 ++ crypto/openssl/crypto/asn1/asn1_err.c | 2 ++ crypto/openssl/crypto/asn1/tasn_dec.c | 12 ++++++++++++ 4 files changed, 23 insertions(+) diff --git a/UPDATING b/UPDATING index ea244187..d4af03b4 100644 --- a/UPDATING +++ b/UPDATING @@ -8,6 +8,13 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20090422: FreeBSD-SA-09:07.libc, FreeBSD-SA-09:08.openssl + Don't leak information via uninitialized space in db(3) records. + [09:07] + + Sanity-check string lengths in order to stop OpenSSL crashing + when printing corrupt BMPString or UniversalString objects. [09:08] + 20090326: Following bug-fixes to TCP connection state flags, netstat, systat, and sockstat will need to be rebuilt in order to properly print diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h index a60ab04a..4574b21a 100644 --- a/crypto/openssl/crypto/asn1/asn1.h +++ b/crypto/openssl/crypto/asn1/asn1.h @@ -1134,6 +1134,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1213,6 +1214,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c index f6b5c3f3..796cc96a 100644 --- a/crypto/openssl/crypto/asn1/asn1_err.c +++ b/crypto/openssl/crypto/asn1/asn1_err.c @@ -188,6 +188,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -267,6 +268,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 66d229b0..ab646daa 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -1012,6 +1012,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { -- 2.42.0