[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2

From: Simon Josefsson
Subject: Re: Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2
Date: Wed, 12 Nov 2008 11:15:31 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)

Michael Meskes <address@hidden> writes:

> On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
>> I think we have identified the problem, see:
>> That patch at least solves the vulnerability and the crash, so possibly
>> it could be uploaded to debian to avoid further troubles until we have
>> released a 2.6.2 with a good fix.
> You mean just removing this code snippet instead of moving it?
>   /* Check if the last certificate in the path is self signed.
>    * In that case ignore it (a certificate is trusted only if it
>    * leads to a trusted party by us, not the server's).
>    */
>   if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
>                                    certificate_list[clist_size - 1]) > 0
>       && clist_size > 0)
>     {
>       clist_size--;
>     }


> Yes, this works. However, I wonder whether this code has any use.

Getting Nikos' comment on this would be useful.  I guess we have two

1) Remove the code.  Fixes both crash and vulnerability.
2) Change the test to clist_size>1.  Fixes both crash and vulnerability.

> If so, wouldn't it help to just use "clist_size > 1" instead of
> "clist_size > 0"? The > 0 test is bogus if you access clist_size - 1
> afterwards, but with the > 1 test it works for me as well, i.e. no
> segfault anymore.

Yes, that version of the patch works too.  I'm not sure what the
semantic differences are between the two patches.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]