git: 17e941a0c88c - stable/14 - kerberos5: Mitigate the possibility of using an old libcrypto
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Jan 2024 15:49:25 UTC
The branch stable/14 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=17e941a0c88cac2d8cd28d6614448adbd65d4b72
commit 17e941a0c88cac2d8cd28d6614448adbd65d4b72
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-01-18 08:22:20 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-01-22 15:49:05 +0000
kerberos5: Mitigate the possibility of using an old libcrypto
By using the full library name (libcrypto.so.30) we avoid the exposure
of using an old, possibly vulnerable, library.
Reported by: jrtc27
Fixes: 476d63e091c2
(cherry picked from commit 0990136ed1753ac7837206f9c5f4b83ccff6c405)
---
kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
index 497b32124f96..2328041bc166 100644
--- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
+++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
@@ -5,6 +5,7 @@
#include <openssl/provider.h>
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#define CRYPTO_LIBRARY "/lib/libcrypto.so.30"
static void fbsd_ossl_provider_unload(void);
static void print_dlerror(char *);
static OSSL_PROVIDER *legacy;
@@ -46,7 +47,7 @@ fbsd_ossl_provider_load(void)
{
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
if (crypto_lib_handle == NULL) {
- if (!(crypto_lib_handle = dlopen("/usr/lib/libcrypto.so",
+ if (!(crypto_lib_handle = dlopen(CRYPTO_LIBRARY,
RTLD_LAZY|RTLD_GLOBAL))) {
print_dlerror("Unable to load libcrypto.so");
return (EINVAL);