replace \0 to make full string visible to user (CVE-2010-2074).

2010-07-18 13:43:23 +00:00
parent f4177807ad
commit cecd2afa71
2 changed files with 28 additions and 9 deletions
--- a/7
+++ b/7
@@ -1,6 +1,3 @@
-2010-07-18  hito  <hito@localhost.localdomain>
-
-
 2010-07-18 d+w3m@vdr.jp
 	* [w3m-dev 04319] Re: w3m's bugs from bugs.debian.org
 	* doc/w3m.1: fix typo.
@@ -10,6 +7,8 @@
 	* scripts/w3mman/w3mman2html.cgi.in (Content-Type):
 	"MAN_KEEP_FORMATTING=1"
 	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325699
+	* istream.c (ssl_check_cert_ident): replace \0 to make full string
+	visible to user (CVE-2010-2074).

 2007-06-07  Hironori Sakamoto <hsaka@mth.biglobe.ne.jp>

@@ -8946,4 +8945,4 @@ a	* [w3m-dev 03276] compile error on EWS4800
 	* release-0-2-1
 	* import w3m-0.2.1

-$Id: ChangeLog,v 1.1005 2010/07/18 13:38:30 htrb Exp $
+$Id: ChangeLog,v 1.1006 2010/07/18 13:43:23 htrb Exp $
--- a/istream.c
+++ b/istream.c
@@ -1,4 +1,4 @@
-/* $Id: istream.c,v 1.26 2007/05/23 15:06:05 inu Exp $ */
+/* $Id: istream.c,v 1.27 2010/07/18 13:43:23 htrb Exp $ */
 #include "fm.h"
 #include "myctype.h"
 #include "istream.h"
@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hostname)

 		    if (!seen_dnsname)
 			seen_dnsname = Strnew();
+		    /* replace \0 to make full string visible to user */
+		    if (sl != strlen(sn)) {
+			int i;
+			for (i = 0; i < sl; ++i) {
+			    if (!sn[i])
+				sn[i] = '!';
+			}
+		    }
 		    Strcat_m_charp(seen_dnsname, sn, " ", NULL);
-		    if (ssl_match_cert_ident(sn, sl, hostname))
+		    if (sl == strlen(sn) /* catch \0 in SAN */
+			&& ssl_match_cert_ident(sn, sl, hostname))
 			break;
 		}
 	    }
@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hostname)
    if (match_ident == FALSE && ret == NULL) {
 	X509_NAME *xn;
 	char buf[2048];
+	int slen;

 	xn = X509_get_subject_name(x);

-	if (X509_NAME_get_text_by_NID(xn, NID_commonName,
-				      buf, sizeof(buf)) == -1)
+	slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
+	if ( slen == -1)
 	    /* FIXME: gettextize? */
 	    ret = Strnew_charp("Unable to get common name from peer cert");
-	else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
+	else if (slen != strlen(buf)
+		|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
+	    /* replace \0 to make full string visible to user */
+	    if (slen != strlen(buf)) {
+		int i;
+		for (i = 0; i < slen; ++i) {
+		    if (!buf[i])
+			buf[i] = '!';
+		}
+	    }
 	    /* FIXME: gettextize? */
 	    ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
+	}
 	else
 	    match_ident = TRUE;
    }