ustream-ssl: backport fix for CVE-2019-5101, CVE-2019-5102

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c5d5cdb759)
This commit is contained in:
Jo-Philipp Wich 2019-11-05 15:07:55 +01:00
parent e70772311d
commit 9d401013fc
2 changed files with 57 additions and 1 deletions

View File

@ -1,7 +1,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=ustream-ssl PKG_NAME:=ustream-ssl
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git

View File

@ -0,0 +1,56 @@
From c9b6668215a27f2346d5eedd6f29cc720985b448 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 11 Sep 2019 21:09:59 +0200
Subject: [PATCH] ustream-ssl: skip writing pending data if .eof is true after
connect
Check the .eof member of the underlying ustream after the call to
__ustream_ssl_connect() since existing users of the library appear
to set the eof flag as a way to signal connection termination upon
failing certificate verification.
This is a stop-gap measure to address TALOS-2019-0893 but a proper
API redesign is required to give applications proper control over
whether certificate failures are to be ignored or not and the default
implementation without custom callbacks should always terminate on
verification failures.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
ustream-ssl.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/ustream-ssl.c b/ustream-ssl.c
index e6b084b..47f66d6 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -40,6 +40,26 @@ static void ustream_ssl_check_conn(struct ustream_ssl *us)
return;
if (__ustream_ssl_connect(us) == U_SSL_OK) {
+
+ /* __ustream_ssl_connect() will also return U_SSL_OK when certificate
+ * verification failed!
+ *
+ * Applications may register a custom .notify_verify_error callback in the
+ * struct ustream_ssl which is called upon verification failures, but there
+ * is no straight forward way for the callback to terminate the connection
+ * initiation right away, e.g. through a true or false return value.
+ *
+ * Instead, existing implementations appear to set .eof field of the underlying
+ * ustream in the hope that this inhibits further operations on the stream.
+ *
+ * Declare this informal behaviour "official" and check for the state of the
+ * .eof member after __ustream_ssl_connect() returned, and do not write the
+ * pending data if it is set to true.
+ */
+
+ if (us->stream.eof)
+ return;
+
us->connected = true;
if (us->notify_connected)
us->notify_connected(us);
--
2.20.1