Bug 1302371 - openssl: X509_check_issued() does not check BasicConstraints
openssl: X509_check_issued() does not check BasicConstraints
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170324,repor...
: Security
Depends On:
Blocks: 1301692
  Show dependency treegraph
 
Reported: 2016-01-27 11:05 EST by Adam Mariš
Modified: 2017-03-24 02:45 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-24 02:45:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.32 KB, patch)
2016-01-27 11:07 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 1 (1.82 KB, patch)
2016-02-15 11:33 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 2 (1.84 KB, patch)
2016-02-15 11:33 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 3 (11.24 KB, patch)
2016-02-15 11:34 EST, Adam Mariš
no flags Details | Diff
Proposed upstream patch 4 (6.88 KB, patch)
2016-02-15 11:34 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-01-27 11:05:12 EST
It was reported that X509_check_issued() did only check check the X509 Key Usage field for KU_KEY_CERT_SIGN but not the BasicConstraints field for CA:true. The missing check can cause X509_verify_cert() to pick up an invalid trust anchor when X509_V_FLAG_TRUSTED_FIRST is set.
Comment 2 Adam Mariš 2016-01-27 11:07 EST
Created attachment 1118829 [details]
Proposed patch
Comment 3 Adam Mariš 2016-01-27 11:08:14 EST
Acknowledgments:

This issue was discovered by Christian Heimes of Red Hat.
Comment 4 Adam Mariš 2016-02-15 11:33 EST
Created attachment 1127338 [details]
Proposed upstream patch 1
Comment 5 Adam Mariš 2016-02-15 11:33 EST
Created attachment 1127339 [details]
Proposed upstream patch 2
Comment 6 Adam Mariš 2016-02-15 11:34 EST
Created attachment 1127340 [details]
Proposed upstream patch 3
Comment 7 Adam Mariš 2016-02-15 11:34 EST
Created attachment 1127341 [details]
Proposed upstream patch 4

Note You need to log in before you can comment on or make changes to this bug.