commit 6ae6d75ec5f75107b7a388e79e963c5a16f5d9e2
parent 3b0a15abe760a5d7ad602bd23bd2cda4370c85dc
Author: htrb <htrb>
Date: Sun, 18 Jul 2010 13:43:23 +0000
replace \0 to make full string visible to user (CVE-2010-2074).
Diffstat:
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,3 @@
-2010-07-18 hito <hito@localhost.localdomain>
-
-
2010-07-18 d+w3m@vdr.jp
* [w3m-dev 04319] Re: w3m's bugs from bugs.debian.org
* doc/w3m.1: fix typo.
@@ -10,6 +7,8 @@
* scripts/w3mman/w3mman2html.cgi.in (Content-Type):
"MAN_KEEP_FORMATTING=1"
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325699
+ * istream.c (ssl_check_cert_ident): replace \0 to make full string
+ visible to user (CVE-2010-2074).
2007-06-07 Hironori Sakamoto <hsaka@mth.biglobe.ne.jp>
diff --git a/istream.c b/istream.c
@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hostname)
if (!seen_dnsname)
seen_dnsname = Strnew();
+ /* replace \0 to make full string visible to user */
+ if (sl != strlen(sn)) {
+ int i;
+ for (i = 0; i < sl; ++i) {
+ if (!sn[i])
+ sn[i] = '!';
+ }
+ }
Strcat_m_charp(seen_dnsname, sn, " ", NULL);
- if (ssl_match_cert_ident(sn, sl, hostname))
+ if (sl == strlen(sn) /* catch \0 in SAN */
+ && ssl_match_cert_ident(sn, sl, hostname))
break;
}
}
@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hostname)
if (match_ident == FALSE && ret == NULL) {
X509_NAME *xn;
char buf[2048];
+ int slen;
xn = X509_get_subject_name(x);
- if (X509_NAME_get_text_by_NID(xn, NID_commonName,
- buf, sizeof(buf)) == -1)
+ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
+ if ( slen == -1)
/* FIXME: gettextize? */
ret = Strnew_charp("Unable to get common name from peer cert");
- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
+ else if (slen != strlen(buf)
+ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
+ /* replace \0 to make full string visible to user */
+ if (slen != strlen(buf)) {
+ int i;
+ for (i = 0; i < slen; ++i) {
+ if (!buf[i])
+ buf[i] = '!';
+ }
+ }
/* FIXME: gettextize? */
ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
+ }
else
match_ident = TRUE;
}