[Pkg-openssl-devel] Bug#539449: Bug#539449: openssl: vulnerable to null character certificate spoofing

Kurt Roeckx kurt at roeckx.be
Tue Aug 4 17:01:08 UTC 2009

On Fri, Jul 31, 2009 at 07:00:11PM -0400, Michael S. Gilbert wrote:
> package: openssl
> version: 0.9.8
> severity: important
> tags: security
> it has been disclosed that ssl applications can be tricked via
> inauthentic certificates containing null characters [0]. i have not
> personally checked whether openssl is affected by this, but since this
> is newly disclosed, it is very likely the case.  please check and fix
> if need be.  thanks.

So there might be 2 issues:
- The API might not return a length of the string so that you
  can't check the whole string.  At first look, this does not
  seem to be a problem.  (Microsoft has/had this problem?)
- Users of the API do not use it properly.

The second can be split in two cases:
- Internal use by openssl/libcrypto/libssl.  At first look this
  seems to be correct, but this was just a quick look.
- Other applications making use of it.  And they all really
  should get checked, and is outside the scope of this package.

So I'm currently under the impression that nothing needs to
be fixed in the openssl package.


More information about the Pkg-openssl-devel mailing list