[Pkg-openssl-devel] Bug#397151: /usr/lib/libcrypto.so.0.9.8: logic
error in X509 policy checking
Jochen Voss
voss at debian.org
Sun Nov 5 15:40:35 CET 2006
Package: libssl0.9.8
Version: 0.9.8c-3
Severity: normal
File: /usr/lib/libcrypto.so.0.9.8
Hello,
recently I came across the following bit of code in the source file
openssl-0.9.8c/crypto/x509v3/pcy_tree.c (function tree_init, around
line 200):
if (!(x->ex_flags && EXFLAG_SS) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
}
The value EXFLAG_SS is clearly ment to be a mask for a bit field and
presumably the '&&' was ment to be the bit operation '&'. The
definition of 'EXFLAGS_SS' is in "x509v3.h" line 366:
#define EXFLAG_CA 0x10
#define EXFLAG_SS 0x20
#define EXFLAG_V1 0x40
#define EXFLAG_INVALID 0x80
#define EXFLAG_SET 0x100
#define EXFLAG_CRITICAL 0x200
#define EXFLAG_PROXY 0x400
and for example in line 134 of "pcy_tree.c" it is used as
if (!(x->ex_flags & EXFLAG_SS)
&& (cache->explicit_skip != -1)
&& (cache->explicit_skip < explicit_policy))
explicit_policy = cache->explicit_skip;
}
I did not check in any way whether this is exploitable, but probably
it should be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
More information about the Pkg-openssl-devel
mailing list