Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto

Reply: Jessica Clarke : "Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto"
In reply to: Jessica Clarke : "Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Thu, 18 Jan 2024 17:35:25 UTC

On Thu, Jan 18, 2024 at 05:29:47PM +0000, Jessica Clarke wrote:
> On 18 Jan 2024, at 15:23, Cy Schubert <cy@FreeBSD.org> wrote:
> > 
> > The branch main has been updated by cy:
> > 
> > URL: https://cgit.FreeBSD.org/src/commit/?id=0990136ed1753ac7837206f9c5f4b83ccff6c405
> > 
> > commit 0990136ed1753ac7837206f9c5f4b83ccff6c405
> > Author:     Cy Schubert <cy@FreeBSD.org>
> > AuthorDate: 2024-01-18 08:22:20 +0000
> > Commit:     Cy Schubert <cy@FreeBSD.org>
> > CommitDate: 2024-01-18 15:12:14 +0000
> > 
> >    kerberos5: Mitigate the possibility of using an old libcrypto
> > 
> >    By using the full library name (libcrypto.so.30) we avoid the exposure
> >    of using an old, possibly vulnerable, library.
> > 
> >    Reported by:            jrtc27
> >    MFC after:              3 days
> >    X-MFC with:             476d63e091c2
> >    Fixes:                  476d63e091c2
> > ---
> > kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> > index 497b32124f96..2328041bc166 100644
> > --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> > +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> > @@ -5,6 +5,7 @@
> > #include <openssl/provider.h>
> > 
> > #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> > +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30"
> 
> This still assumes the native ABI is in use, i.e. doesn’t account for
> libcompat. Can we please just drop the directory, or if it’s really
> needed for some reason at least handle the libcompat case?

Using relative paths might carry a potential security risk if the
LD_LIBRARY_PATH environment variable is set to an attacker-controlled
directory.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc