Bug 516181 (CVE-2009-2417)

Summary: CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jnovy, kdudka, kreilly, mmalik, mvadkert, rvokal, tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-31 13:32:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 516251, 516255, 516256, 516257, 516258    
Bug Blocks:    

Description Tomas Hoger 2009-08-07 08:36:12 UTC 
A method to bypass SSL certificate name vs. host name verification via NUL ('\0') character embedded in X509 certificate's CommonName or subjectAltName was presented at Black Hat USA 2009:

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike

This flaw also affects curl built with OpenSSL crypto library (problem can also affect curl using unpatched versions of NSS or GnuTLS libraries, though updating those libraries to patched versions is sufficient to protect curl versions linked against those libraries).

Upstream advisory:
http://curl.haxx.se/docs/adv_20090812.txt

Upstream patch:
http://cool.haxx.se/cvs.cgi/curl/lib/ssluse.c.diff?r1=1.230&r2=1.235
(minus sni changes from r1.232)

Backported patches for various curl versions:
http://curl.haxx.se/CVE-2009-2417/

Upstream bug report:
http://curl.haxx.se/bug/view.cgi?id=2829955

curl as shipped with Red Hat Enterprise Linux 3, 4 and 5 uses OpenSSL and is affected by this problem (version in EL3 does not seem to support subjectAltName).

curl versions in Fedora are using NSS and are not affected by this problem.
Comment 15 Tomas Hoger 2009-08-12 10:07:30 UTC 
Fully public now via:
  http://curl.haxx.se/docs/adv_20090812.html
Comment 16 errata-xmlrpc 2009-08-13 14:34:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1209 https://rhn.redhat.com/errata/RHSA-2009-1209.html