CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)

hlandau · levitte · commit 2c6c9d439b48 · 2023-02-03T11:22:47.000+01:00
Reviewed-by: Paul Dale &lt;pauli@openssl.org&gt;
Reviewed-by: Tomas Mraz &lt;tomas@openssl.org&gt;
diff --git a/CHANGES b/CHANGES
@@ -9,7 +9,23 @@
 
  Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
 
-  *)
+  *) Fixed a type confusion vulnerability relating to X.400 address processing
+     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+     vulnerability may allow an attacker who can provide a certificate chain and
+     CRL (neither of which need have a valid signature) to pass arbitrary
+     pointers to a memcmp call, creating a possible read primitive, subject to
+     some constraints. Refer to the advisory for more information. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0286)
+
+     This issue has been fixed by changing the public header file definition of
+     GENERAL_NAME so that x400Address reflects the implementation. It was not
+     possible for any existing application to successfully use the existing
+     definition; however, if any application references the x400Address field
+     (e.g. in dead code), note that the type of this field has changed. There is
+     no ABI change.
+
+     [Hugo Landau]
 
  Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
 
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
@@ -646,6 +646,14 @@ static struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x00
+        },
+        2
     }
 };
 

Original file line number	Diff line number	Diff line change
`@@ -646,6 +646,14 @@ static struct gennamedata {`
`646`	`646`	`0xb7, 0x09, 0x02, 0x02`
`647`	`647`	`},`
`648`	`648`	`15`
	`649`	`+ }, {`
	`650`	`+ /*`
	`651`	`+ * Regression test for CVE-2023-0286.`
	`652`	`+ */`
	`653`	`+ {`
	`654`	`+ 0xa3, 0x00`
	`655`	`+ },`
	`656`	`+ 2`
`649`	`657`	`}`
`650`	`658`	`};`
`651`	`659`