libressl/0089-CVE-2021-3712.patch

From 89d74f9b9c8c0b042e81aecb6c286253a51659d8 Mon Sep 17 00:00:00 2001
From: benno <>
Date: Fri, 20 Aug 2021 19:54:16 +0000
Subject: [PATCH] In LibreSSL, printing a certificate can result in a crash in
 X509_CERT_AUX_print().

Commit in -current:

CVSROOT:        /cvs
Module name:    src
Changes by:     schwarze@cvs.openbsd.org        2021/07/10 11:45:16

Modified files:
        lib/libcrypto/asn1: t_x509a.c

Log message:
Fix a read buffer overrun in X509_CERT_AUX_print(3),
which by implication also affects X509_print(3).

The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in
any way either, so we must assume the alias->data field is merely
a byte array and not necessarily a string in the sense of the C
language.

I found this bug while writing manual pages for these functions.

OK tb@

As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others.  But let's stay focussed.  Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.

This is patches/6.8/common/029_x509.patch.sig
---
 src/lib/libcrypto/asn1/t_x509a.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
index fd68211b84..173465b295 100644
--- a/src/lib/libcrypto/asn1/t_x509a.c
+++ b/src/lib/libcrypto/asn1/t_x509a.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: t_x509a.c,v 1.8.18.1 2021/08/20 19:54:16 benno Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
 	} else
 		BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
 	if (aux->alias)
-		BIO_printf(out, "%*sAlias: %s\n", indent, "",
-		    aux->alias->data);
+		BIO_printf(out, "%*sAlias: %.*s\n", indent, "",
+		    aux->alias->length, aux->alias->data);
 	if (aux->keyid) {
 		BIO_printf(out, "%*sKey Id: ", indent, "");
 		for (i = 0; i < aux->keyid->length; i++)
Fix CVE-2021-3712 2021-09-07 00:56:28 +03:00			`From 89d74f9b9c8c0b042e81aecb6c286253a51659d8 Mon Sep 17 00:00:00 2001`
			`From: benno <>`
			`Date: Fri, 20 Aug 2021 19:54:16 +0000`
			`Subject: [PATCH] In LibreSSL, printing a certificate can result in a crash in`
			`X509_CERT_AUX_print().`

			`Commit in -current:`

			`CVSROOT: /cvs`
			`Module name: src`
			`Changes by: schwarze@cvs.openbsd.org 2021/07/10 11:45:16`

			`Modified files:`
			`lib/libcrypto/asn1: t_x509a.c`

			`Log message:`
			`Fix a read buffer overrun in X509_CERT_AUX_print(3),`
			`which by implication also affects X509_print(3).`

			`The ASN1_STRING_get0_data(3) manual explitely cautions the reader`
			`that the data is not necessarily NUL-terminated, and the function`
			`X509_alias_set1(3) does not sanitize the data passed into it in`
			`any way either, so we must assume the alias->data field is merely`
			`a byte array and not necessarily a string in the sense of the C`
			`language.`

			`I found this bug while writing manual pages for these functions.`

			`OK tb@`

			`As an aside, note that the function still produces incomplete and`
			`misleading results when the data contains a NUL byte in the middle`
			`and that error handling is consistently absent throughout, even`
			`though the function provides an "int" return value obviously intended`
			`to be 1 for success and 0 for failure, and even though this function`
			`is called by another function that also wants to return 1 for success`
			`and 0 for failure and even does so in many of its code paths, though`
			`not in others. But let's stay focussed. Many things would be nice`
			`to have in the wide wild world, but a buffer overflow must not be`
			`allowed to remain in our backyard.`

			`This is patches/6.8/common/029_x509.patch.sig`
			`---`
			`src/lib/libcrypto/asn1/t_x509a.c \| 6 +++---`
			`1 file changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c`
			`index fd68211b84..173465b295 100644`
			`--- a/src/lib/libcrypto/asn1/t_x509a.c`
			`+++ b/src/lib/libcrypto/asn1/t_x509a.c`
			`@@ -1,4 +1,4 @@`
			`-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */`
			`+/* $OpenBSD: t_x509a.c,v 1.8.18.1 2021/08/20 19:54:16 benno Exp $ */`
			`/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL`
			`* project 1999.`
			`*/`
			`@@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO out, X509_CERT_AUX aux, int indent)`
			`} else`
			`BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");`
			`if (aux->alias)`
			`- BIO_printf(out, "%*sAlias: %s\n", indent, "",`
			`- aux->alias->data);`
			`+ BIO_printf(out, "%sAlias: %.s\n", indent, "",`
			`+ aux->alias->length, aux->alias->data);`
			`if (aux->keyid) {`
			`BIO_printf(out, "%*sKey Id: ", indent, "");`
			`for (i = 0; i < aux->keyid->length; i++)`