From 954ab2058388f0a2380e596edf3798c691c9e6fe Mon Sep 17 00:00:00 2001
From: bluhm <>
Date: Tue, 7 Feb 2023 15:59:13 +0000
Subject: Fix arbitrary memory read in GENERAL_NAME_cmp()

The ASN.1 template for GENERAL_NAME and its corresponding C structure
disagree on the type of the x400Address member. This results in an ASN.1
string to be considered as an ASN.1 type, which allows an attacker to read
(essentially) arbitrary memory. Fix this by forcing comparison as strings.

While the underlying type confusion has been present since time immemorial,
this particular bug came with the EdiPartyName fix (6.8/008_asn1.patch.sig).

Reported by David Benjamin, fix suggested by jsing.

Release date for this was set to be January 31. Unilaterally pushed back to
February 7 by OpenSSL by way of announcement of many completely unrelated
embargoed issues, some of which they had been sitting on since July 2020.

from tb@; OK beck@ jsing@

this is errata/7.2/018_x509.patch.sig
---
 src/lib/libcrypto/x509/x509_genn.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index dadf6f1e40..a681cb00db 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.2.8.1 2023/02/07 15:59:13 bluhm Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -366,7 +366,8 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
 		return -1;
 	switch (a->type) {
 	case GEN_X400:
-		result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+		result = ASN1_STRING_cmp((ASN1_STRING *)a->d.x400Address,
+		    (ASN1_STRING *)b->d.x400Address);
 		break;
 
 	case GEN_EDIPARTY:
-- 
cgit v1.2.3-55-g6feb