Please sign in to comment.
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
We didn't check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory. The problem can only be triggered for configurations that use the --x509-alt-username option with an x509 extension (i.e. the option parameter starts with "ext:"). This issue was discovered, analysed and reported to the OpenVPN team by Guido Vranken. Extensive testing by Guido Vranken gives confidence that this function is very unlikely to fail in real-world usage (using subjectAltName or issuerAltName extensions) for other reasons than memory exhaustion. CVE: 2017-7521 Signed-off-by: Steffan Karger <email@example.com> Acked-by: Gert Doering <firstname.lastname@example.org> Acked-by: David Sommerseth <email@example.com> Acked-by: Guido Vranken <firstname.lastname@example.org> Message-Id: <email@example.com> URL: https://firstname.lastname@example.org Signed-off-by: Gert Doering <email@example.com>
- Loading branch information...
Showing with 11 additions and 1 deletion.