[OpenSSL-1.0.2] CVE-2021-3712 Read buffer overruns processing ASN.1 strings

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#214~~ - CVE-2021-3712 Fix a read buffer overrun in X509_CERT_AUX_print()

patch obtained from: https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12

original commit message:

This is a backport of commit c5dc9ab to 1.0.2. That commit fixed the same bug but in master/1.1.1 it is in the function X509_aux_print(). The original commit had the following description:

Fix a read buffer overrun in X509_aux_print().

The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language.

I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler tb@openbsd.org checked my patch to fix the same bug in LibreSSL, see

http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9

As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard.

CVE-2021-3712

Reviewed-by: Paul Dale pauli@openssl.org

→ <<cset f137d313e9a6>>

2021-10-16T10:05:46+00:00

Comments (5)

Takehiko NOZAKI reporter
- edited description
- 2021-10-16T09:57:29+00:00
Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#214~~ - CVE-2021-3712 Fix a read buffer overrun in X509_CERT_AUX_print()

patch obtained from: https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12

original commit message:

This is a backport of commit c5dc9ab to 1.0.2. That commit fixed the same bug but in master/1.1.1 it is in the function X509_aux_print(). The original commit had the following description:

Fix a read buffer overrun in X509_aux_print().

The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language.

I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler tb@openbsd.org checked my patch to fix the same bug in LibreSSL, see

http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9

As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard.

CVE-2021-3712

Reviewed-by: Paul Dale pauli@openssl.org

→ <<cset f137d313e9a6>>
- 2021-10-16T10:05:46+00:00
Takehiko NOZAKI reporter
- changed title to [OpenSSL-1.0.2] CVE-2021-3712 Read buffer overruns processing ASN.1 strings
- 2022-08-23T23:47:00+00:00
Takehiko NOZAKI reporter
- changed status to open
reopen, previous commit is insufficient
- 2022-08-24T03:35:00+00:00
Takehiko NOZAKI reporter
- changed status to resolved
done, see <<cset e21d90e6ce50dedf517a594128b4396a09d7f76a..73ca2ce541f980a07d1530453454b3befeb1b0a3>>
- 2022-08-24T03:35:49+00:00
Log in to comment