[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2
From: |
Simon Josefsson |
Subject: |
Re: Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2 |
Date: |
Wed, 12 Nov 2008 11:15:31 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) |
Michael Meskes <address@hidden> writes:
> On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
>> I think we have identified the problem, see:
>>
>> http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
>>
>> That patch at least solves the vulnerability and the crash, so possibly
>> it could be uploaded to debian to avoid further troubles until we have
>> released a 2.6.2 with a good fix.
>
> You mean just removing this code snippet instead of moving it?
>
> /* Check if the last certificate in the path is self signed.
> * In that case ignore it (a certificate is trusted only if it
> * leads to a trusted party by us, not the server's).
> */
> if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
> certificate_list[clist_size - 1]) > 0
> && clist_size > 0)
> {
> clist_size--;
> }
Yes.
> Yes, this works. However, I wonder whether this code has any use.
Getting Nikos' comment on this would be useful. I guess we have two
choices:
1) Remove the code. Fixes both crash and vulnerability.
2) Change the test to clist_size>1. Fixes both crash and vulnerability.
> If so, wouldn't it help to just use "clist_size > 1" instead of
> "clist_size > 0"? The > 0 test is bogus if you access clist_size - 1
> afterwards, but with the > 1 test it works for me as well, i.e. no
> segfault anymore.
Yes, that version of the patch works too. I'm not sure what the
semantic differences are between the two patches.
/Simon
- Re: Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2,
Simon Josefsson <=