Date: Thu, 18 Jan 2024 17:29:47 +0000 From: Jessica Clarke <jrtc27@freebsd.org> To: Cy Schubert <cy@FreeBSD.org> Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org> Subject: Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto Message-ID: <D89E55DF-846D-44FA-9287-0FFED7B08C2C@freebsd.org> In-Reply-To: <202401181523.40IFNvXI077592@gitrepo.freebsd.org> References: <202401181523.40IFNvXI077592@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18 Jan 2024, at 15:23, Cy Schubert <cy@FreeBSD.org> wrote: >=20 > The branch main has been updated by cy: >=20 > URL: = https://cgit.FreeBSD.org/src/commit/?id=3D0990136ed1753ac7837206f9c5f4b83c= cff6c405 >=20 > commit 0990136ed1753ac7837206f9c5f4b83ccff6c405 > Author: Cy Schubert <cy@FreeBSD.org> > AuthorDate: 2024-01-18 08:22:20 +0000 > Commit: Cy Schubert <cy@FreeBSD.org> > CommitDate: 2024-01-18 15:12:14 +0000 >=20 > kerberos5: Mitigate the possibility of using an old libcrypto >=20 > By using the full library name (libcrypto.so.30) we avoid the = exposure > of using an old, possibly vulnerable, library. >=20 > Reported by: jrtc27 > MFC after: 3 days > X-MFC with: 476d63e091c2 > Fixes: 476d63e091c2 > --- > kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c = b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > index 497b32124f96..2328041bc166 100644 > --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > @@ -5,6 +5,7 @@ > #include <openssl/provider.h> >=20 > #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >=3D 3) > +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30" This still assumes the native ABI is in use, i.e. doesn=E2=80=99t = account for libcompat. Can we please just drop the directory, or if it=E2=80=99s = really needed for some reason at least handle the libcompat case? Jess > static void fbsd_ossl_provider_unload(void); > static void print_dlerror(char *); > static OSSL_PROVIDER *legacy; > @@ -46,7 +47,7 @@ fbsd_ossl_provider_load(void) > { > #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >=3D 3) > if (crypto_lib_handle =3D=3D NULL) { > - if (!(crypto_lib_handle =3D dlopen("/usr/lib/libcrypto.so", > + if (!(crypto_lib_handle =3D dlopen(CRYPTO_LIBRARY, > RTLD_LAZY|RTLD_GLOBAL))) { > print_dlerror("Unable to load libcrypto.so"); > return (EINVAL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D89E55DF-846D-44FA-9287-0FFED7B08C2C>