[Pkg-puppet-devel] Bug#682590: hmm

[Stefanos Harhalakis]

So I had another look at this and something doesn't add up.

I believe that the CVE is for CNs with / in them while the code checks the 
textual representation of the whole subject.

For example, when you have C=UK CN=test.v13.gr you end up having a textual 
representation of "/C=UK/CN=test.v13.gr" which fails the check because of the 
"/" in it but does not seem to fall within CVE's description.

I believe the problem lies in lib/puppet/ssl/certificate.rb which uses as name 
the full name instead of just CN.

Puppet's internal CA doesn't have this problem because it only adds CN to the 
subject. The patch is supposed to strip everything before and after the CN=xxx 
part.

Please consider the attached patch which I believe changes the representation 
of the certificate name to be just the CN field. There's a bug in it in case 
another field contains the string CN= in it, which will result in a failure to 
match the certificate name but I believe this is minor, hard to work around 
and not a security risk.

If you have a close look you'll see that puppet was already stripping the CN= 
part but was failing miserably when there were other parts in the subject or 
the issuer.

p.s. I don't claim to have any knowledge of puppet's code. This is just a 
quick hack so standard disclaimers apply.

Thanks,
Stefanos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: certname.patch
Type: text/x-patch
Size: 612 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130416/a1fb6c0a/attachment.bin>