| Message ID | 20191219220421.22206-10-ynezz@true.cz |
|---|---|
| State | Accepted |
| Delegated to: | Petr Štetiar |
| Headers | show
Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=true.cz Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="OvW3KygH"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47f5Zh6bfHz9sPJ for <incoming@patchwork.ozlabs.org>; Fri, 20 Dec 2019 09:07:08 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=hBDAGnF6nEOO+QShA8fGqqZwvh75Ingpvbz6ItANVpk=; b=OvW3KygHrv+P/E J16xxMy9rr3ZQmeHxmeZ92i4Te4gj014loaYMj+F4Uqg2aJY7GGT+cwl2UAj5ZdI99nP5u5Hk7xNs iC0RsOt7st9G25eWI9qKWqoXSBkgZt/1coAegyryZPO7MK5VO5SWzRms3u/IxID3eL/i7RSBg1gbL 1t6B87KHNR/EnM/QNMDl3TOAX5stAvNRSkMb5rGWmsgylOkxdTwJWGyWGcIuriKo2BVa/h7+5jz94 bBjzweMy00+CjWxPk4BtBfN3qIld53yg7pRQq+5feZt3/040lDn/Qnfw0nSd58Osbmu8rSuNBgbeS QXDVu+m8+O7HQRAlOQ1Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1ii3wp-0001QK-4l; Thu, 19 Dec 2019 22:07:07 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1ii3uO-0003ms-9Z for openwrt-devel@lists.openwrt.org; Thu, 19 Dec 2019 22:04:46 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 6BFF24B99; Thu, 19 Dec 2019 23:04:31 +0100 (CET) Received: by meh.true.cz (OpenSMTPD) with ESMTP id cefa8409; Thu, 19 Dec 2019 23:04:21 +0100 (CET) From: =?utf-8?q?Petr_=C5=A0tetiar?= <ynezz@true.cz> To: openwrt-devel@lists.openwrt.org Date: Thu, 19 Dec 2019 23:04:21 +0100 Message-Id: <20191219220421.22206-10-ynezz@true.cz> In-Reply-To: <20191219220421.22206-1-ynezz@true.cz> References: <20191219220421.22206-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191219_140436_529858_33EF8870 X-CRM114-Status: UNSURE ( 9.54 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [178.217.244.18 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record Subject: [OpenWrt-Devel] [PATCH ucert 9/9] fix certificate blob parsing vulnerability by using blob_parse_untrusted X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: <openwrt-devel.lists.openwrt.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/> List-Post: <mailto:openwrt-devel@lists.openwrt.org> List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe> Cc: =?utf-8?q?Petr_=C5=A0tetiar?= <ynezz@true.cz> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org |
| Series |
GitLab CI, tests, fixes and improvements
|
expand
|
diff --git a/ucert.c b/ucert.c index 76960a200be0..d822199eb7f8 100644 --- a/ucert.c +++ b/ucert.c @@ -154,7 +154,7 @@ static int cert_load(const char *certfile, struct list_head *chain) { bufpt = (struct blob_attr *)filebuf; do { - pret = blob_parse(bufpt, certtb, cert_policy, CERT_ATTR_MAX); + pret = blob_parse_untrusted(bufpt, len, certtb, cert_policy, CERT_ATTR_MAX); if (pret <= 0) /* no attributes found */ break;
blob_parse expects blobs from trusted inputs, but in this case it can be supplied with possibly malicious certificates from untrusted inputs as well, so in order to prevent such conditions, switch to blob_parse_untrusted which should hopefully handle such inputs appropriately. Signed-off-by: Petr Štetiar <ynezz@true.cz> --- ucert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)