Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PKINIT cert matching data construction #707

Merged
merged 1 commit into from Oct 26, 2017

Conversation

Projects
None yet
2 participants
@greghudson
Copy link
Member

commented Oct 24, 2017

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

@frozencemetery
Copy link
Contributor

left a comment

+1, as discussed.

@frozencemetery

This comment has been minimized.

Copy link
Contributor

commented Oct 25, 2017

Red Hat has assigned this CVE-2017-15088 (in our builds only, not in upstream krb5).

@greghudson greghudson force-pushed the greghudson:pkinit-matching branch from 6de2140 to 38e6015 Oct 25, 2017

Fix PKINIT cert matching data construction
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

ticket: 8617
target_version: 1.16
target_version: 1.15-next
target_version: 1.14-next
tags: pullup

@greghudson greghudson force-pushed the greghudson:pkinit-matching branch from 38e6015 to fbb687d Oct 25, 2017

@greghudson

This comment has been minimized.

Copy link
Member Author

commented Oct 25, 2017

On self-review I noticed some minor exception-handling mistakes in the new function definition (memory leaks on error, not checking the return value of BIO_new()). Please re-review. I think the candidate fix should be okay for practical purposes.

@frozencemetery

This comment has been minimized.

Copy link
Contributor

commented Oct 26, 2017

Right, this is better than the original, so +1.

(I believe BIO_new() failures aren't realistic for Linux, and the BIO leak on error isn't worth the delay a respin would require, so I agree it's fine for what I'm doing with it, and I'll plan to fix that later.)

@greghudson greghudson merged commit fbb687d into krb5:master Oct 26, 2017

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@greghudson greghudson deleted the greghudson:pkinit-matching branch Oct 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.