Fix arbitrary memory read in GENERAL_NAME_cmp()libressl-v3.5.4

The ASN.1 template for GENERAL_NAME and its corresponding C structure
disagree on the type of the x400Address member. This results in an ASN.1
string to be considered as an ASN.1 type, which allows an attacker to read
(essentially) arbitrary memory. Fix this by forcing comparison as strings.

While the underlying type confusion has been present since time immemorial,
this particular bug came with the EdiPartyName fix (6.8/008_asn1.patch.sig).

Reported by David Benjamin, fix suggested by jsing.

Release date for this was set to be January 31. Unilaterally pushed back to
February 7 by OpenSSL by way of announcement of many completely unrelated
embargoed issues, some of which they had been sitting on since July 2020.

from tb@; OK beck@ jsing@

this is errata/7.1/022_x509.patch.sig

1 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index dadf6f1e40..2e11f19dc1 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.2.6.1 2023/02/07 15:59:30 bluhm Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -366,7 +366,8 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
                 return -1;
         switch (a->type) {
         case GEN_X400:
-                result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+                result = ASN1_STRING_cmp((ASN1_STRING *)a->d.x400Address,
+                    (ASN1_STRING *)b->d.x400Address);
                 break;
 
         case GEN_EDIPARTY: