Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto

From: Jessica Clarke <jrtc27_at_freebsd.org>
Date: Thu, 18 Jan 2024 17:43:36 UTC
On 18 Jan 2024, at 17:35, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
> 
> On Thu, Jan 18, 2024 at 05:29:47PM +0000, Jessica Clarke wrote:
>> On 18 Jan 2024, at 15:23, Cy Schubert <cy@FreeBSD.org> wrote:
>>> 
>>> The branch main has been updated by cy:
>>> 
>>> URL: https://cgit.FreeBSD.org/src/commit/?id=0990136ed1753ac7837206f9c5f4b83ccff6c405
>>> 
>>> commit 0990136ed1753ac7837206f9c5f4b83ccff6c405
>>> Author:     Cy Schubert <cy@FreeBSD.org>
>>> AuthorDate: 2024-01-18 08:22:20 +0000
>>> Commit:     Cy Schubert <cy@FreeBSD.org>
>>> CommitDate: 2024-01-18 15:12:14 +0000
>>> 
>>>   kerberos5: Mitigate the possibility of using an old libcrypto
>>> 
>>>   By using the full library name (libcrypto.so.30) we avoid the exposure
>>>   of using an old, possibly vulnerable, library.
>>> 
>>>   Reported by:            jrtc27
>>>   MFC after:              3 days
>>>   X-MFC with:             476d63e091c2
>>>   Fixes:                  476d63e091c2
>>> ---
>>> kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++-
>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>>> index 497b32124f96..2328041bc166 100644
>>> --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>>> +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>>> @@ -5,6 +5,7 @@
>>> #include <openssl/provider.h>
>>> 
>>> #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
>>> +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30"
>> 
>> This still assumes the native ABI is in use, i.e. doesn’t account for
>> libcompat. Can we please just drop the directory, or if it’s really
>> needed for some reason at least handle the libcompat case?
> 
> Using relative paths might carry a potential security risk if the
> LD_LIBRARY_PATH environment variable is set to an attacker-controlled
> directory.

That’s true for direct linking too, yet we don’t hard-code everything
everywhere there. What’s special about dlopen?

Jess