Bug 890510 (CVE-2014-3504) - VUL-0: CVE-2014-3504: serf: handling of NUL bytes in fields of an X.509 cert
Summary: VUL-0: CVE-2014-3504: serf: handling of NUL bytes in fields of an X.509 cert
Status: RESOLVED FIXED
Alias: CVE-2014-3504
Product: openSUSE 13.1
Classification: openSUSE
Component: Security (show other bugs)
Version: Final
Hardware: All openSUSE 13.1
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-05 23:39 UTC by Andreas Stieger
Modified: 2014-09-09 11:51 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch against 1.1.1 (openSUSE 12.3) (10.46 KB, patch)
2014-08-10 19:08 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2014-08-05 23:39:39 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0

From https://code.google.com/p/serf/source/detail?r=2392

> Deal with NUL bytes in fields of an X.509 cert.
> 
> * buckets/ssl_buckets.c:
>   (pstrdup_escape_nul_bytes, get_subject_alt_names, validate_cert_hostname):
>     New functions.
>   (validate_server_certificate): Use validate_cert_hostname() to return
>     SERF_SSL_CERT_INVALID_HOST if CommonName or SubjectAltNames include a
>     NUL byte.
>   (convert_X509_NAME_to_table): Use pstrdup_escape_nul_bytes() to escape
>     NUL bytes before adding fields to the hash table.
>   (serf_ssl_cert_certificate): Replace some code with a call to
>     get_subject_alt_names() where we factored out the code to.
> 
> * serf_bucket_types.h
>   (SERF_SSL_CERT_INVALID_HOST): New error.

Reads like this may similar to CVE-2009-2408, e.g. \0 bytes in certificates would allow MITM attacks. CWE-297?

> openssl x509 -in test/certs/servercert_cnsan_nul.pem -text -noout
> [...]
> Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.example.net\x00.example.com
> [...]

Change will be part of serf 1.3.7 scheduled for 2014-08-11.

openSUSE 13.1: libserf-1-1 (serf) 1.3.6
openSUSE 12.3: libserf-1-0 (serf) 1.1.1

Reproducible: Didn't try
Comment 3 Swamp Workflow Management 2014-08-06 22:00:13 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2014-08-10 18:46:55 UTC 
Preparing updates for openSUSE just now...
Comment 5 Andreas Stieger 2014-08-10 19:08:04 UTC 
Created attachment 601796 [details]
patch against 1.1.1 (openSUSE 12.3)
Comment 6 Bernhard Wiedemann 2014-08-11 20:00:57 UTC 
This is an autogenerated message for OBS integration:
This bug (890510) was mentioned in
https://build.opensuse.org/request/show/244258 13.1+12.3 / libserf+subversion
Comment 8 Swamp Workflow Management 2014-08-23 00:04:56 UTC 
openSUSE-SU-2014:1059-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 889849,890510,890511
CVE References: CVE-2014-3504,CVE-2014-3522,CVE-2014-3528
Sources used:
openSUSE 13.1 (src):    libserf-1.3.7-16.1, subversion-1.8.10-2.29.1
openSUSE 12.3 (src):    libserf-1.1.1-2.4.1, subversion-1.7.18-2.36.1
Comment 9 Marcus Meissner 2014-09-09 11:51:51 UTC 
released