New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix PKINIT cert matching data construction #707

Merged
merged 1 commit into from Oct 26, 2017

Conversation

Projects
None yet
2 participants
@greghudson
Member

greghudson commented Oct 24, 2017

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

@frozencemetery

+1, as discussed.

@frozencemetery

This comment has been minimized.

Show comment
Hide comment
@frozencemetery

frozencemetery Oct 25, 2017

Contributor

Red Hat has assigned this CVE-2017-15088 (in our builds only, not in upstream krb5).

Contributor

frozencemetery commented Oct 25, 2017

Red Hat has assigned this CVE-2017-15088 (in our builds only, not in upstream krb5).

Fix PKINIT cert matching data construction
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

ticket: 8617
target_version: 1.16
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
@greghudson

This comment has been minimized.

Show comment
Hide comment
@greghudson

greghudson Oct 25, 2017

Member

On self-review I noticed some minor exception-handling mistakes in the new function definition (memory leaks on error, not checking the return value of BIO_new()). Please re-review. I think the candidate fix should be okay for practical purposes.

Member

greghudson commented Oct 25, 2017

On self-review I noticed some minor exception-handling mistakes in the new function definition (memory leaks on error, not checking the return value of BIO_new()). Please re-review. I think the candidate fix should be okay for practical purposes.

@frozencemetery

This comment has been minimized.

Show comment
Hide comment
@frozencemetery

frozencemetery Oct 26, 2017

Contributor

Right, this is better than the original, so +1.

(I believe BIO_new() failures aren't realistic for Linux, and the BIO leak on error isn't worth the delay a respin would require, so I agree it's fine for what I'm doing with it, and I'll plan to fix that later.)

Contributor

frozencemetery commented Oct 26, 2017

Right, this is better than the original, so +1.

(I believe BIO_new() failures aren't realistic for Linux, and the BIO leak on error isn't worth the delay a respin would require, so I agree it's fine for what I'm doing with it, and I'll plan to fix that later.)

@greghudson greghudson merged commit fbb687d into krb5:master Oct 26, 2017

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@greghudson greghudson deleted the greghudson:pkinit-matching branch Oct 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment