Skip to content

Commit e5fd172

Browse files
t8mmattcaswell
authored andcommitted
c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe. This fixes CVE-2022-1292. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org>
1 parent 982fad3 commit e5fd172

File tree

1 file changed

+25
-4
lines changed

1 file changed

+25
-4
lines changed

Diff for: tools/c_rehash.in

+25-4
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,23 @@ sub check_file {
152152
return ($is_cert, $is_crl);
153153
}
154154

155+
sub compute_hash {
156+
my $fh;
157+
if ( $^O eq "VMS" ) {
158+
# VMS uses the open through shell
159+
# The file names are safe there and list form is unsupported
160+
if (!open($fh, "-|", join(' ', @_))) {
161+
print STDERR "Cannot compute hash on '$fname'\n";
162+
return;
163+
}
164+
} else {
165+
if (!open($fh, "-|", @_)) {
166+
print STDERR "Cannot compute hash on '$fname'\n";
167+
return;
168+
}
169+
}
170+
return (<$fh>, <$fh>);
171+
}
155172

156173
# Link a certificate to its subject name hash value, each hash is of
157174
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
161178

162179
sub link_hash_cert {
163180
my $fname = $_[0];
164-
$fname =~ s/\"/\\\"/g;
165-
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
181+
my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
182+
"-fingerprint", "-noout",
183+
"-in", $fname);
166184
chomp $hash;
167185
chomp $fprint;
186+
return if !$hash;
168187
$fprint =~ s/^.*=//;
169188
$fprint =~ tr/://d;
170189
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
202221

203222
sub link_hash_crl {
204223
my $fname = $_[0];
205-
$fname =~ s/'/'\\''/g;
206-
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
224+
my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
225+
"-fingerprint", "-noout",
226+
"-in", $fname);
207227
chomp $hash;
208228
chomp $fprint;
229+
return if !$hash;
209230
$fprint =~ s/^.*=//;
210231
$fprint =~ tr/://d;
211232
my $suffix = 0;

0 commit comments

Comments
 (0)