git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Mon, 19 Jun 2017 09:28:36 +0000 (11:28 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 19 Jun 2017 15:32:16 +0000 (17:32 +0200)
commit	426392940c7060300a10077c389f5156c790c2f6
tree	c6f14f6ca34f1c510d8559fb2870a2b9623a7548	tree
parent	5bde5b6d1875fd87b116c943084df0d2f6aee6d0	commit \| diff

mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)

asn1_buf_to_c_string() returned a literal string if the input ASN.1 string
contained a NUL character, while the caller expects a mutable string.
The caller will attempt to change this string, which allows a client to
crash a server by sending a certificate with an embedded NUL character.

(The other way around is not interesting, as servers are allowed to stop
a client by design.)

Impact analysis:
* applies to mbedtls builds only
* introduced in 2.4 (so 2.3 is not affected)
* can only be exploited if the --x509-track option is used
* requires the CA to sign a certificate with an embedded NUL in the
certificate subject

This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.

CVE: 2017-7522
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497864520-12219-2-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-2-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst		diff \| blob \| blame \| history
src/openvpn/ssl_verify_mbedtls.c		diff \| blob \| blame \| history