diff options
| author | tb <> | 2026-01-27 14:18:32 +0000 |
|---|---|---|
| committer | tb <> | 2026-01-27 14:18:32 +0000 |
| commit | b468f25e20a1bbfbabbc534c5c2b1b862fe98bbe (patch) | |
| tree | 3105ab7df719e7068b2b599dadb5a306e30e122c /src/lib/libcrypto/ts | |
| parent | 80b52a32d57440334a364d1c23155c87f46f2831 (diff) | |
| download | openbsd-b468f25e20a1bbfbabbc534c5c2b1b862fe98bbe.tar.gz openbsd-b468f25e20a1bbfbabbc534c5c2b1b862fe98bbe.tar.bz2 openbsd-b468f25e20a1bbfbabbc534c5c2b1b862fe98bbe.zip | |
Avoid type confusion in the timestamp response parsing
A malformed v2 signing cert can lead to a type confusion, and the result
is a read from an invalid memory address or NULL, so a crash. Unlike for
OpenSSL, v1 signing certs aren't affected since miod fixed this in '14.
Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-69420.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/ts')
| -rw-r--r-- | src/lib/libcrypto/ts/ts_rsp_verify.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index e9a778bb88..8731e04c0d 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.32 2025/12/05 14:19:27 tb Exp $ */ | 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.33 2026/01/27 14:18:32 tb Exp $ */ |
| 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL |
| 3 | * project 2002. | 3 | * project 2002. |
| 4 | */ | 4 | */ |
| @@ -365,6 +365,8 @@ ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) | |||
| 365 | attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); | 365 | attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); |
| 366 | if (attr == NULL) | 366 | if (attr == NULL) |
| 367 | return NULL; | 367 | return NULL; |
| 368 | if (attr->type != V_ASN1_SEQUENCE) | ||
| 369 | return NULL; | ||
| 368 | p = attr->value.sequence->data; | 370 | p = attr->value.sequence->data; |
| 369 | return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); | 371 | return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); |
| 370 | } | 372 | } |