Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto
Date: Thu, 18 Jan 2024 17:43:36 UTC
On 18 Jan 2024, at 17:35, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Thu, Jan 18, 2024 at 05:29:47PM +0000, Jessica Clarke wrote: >> On 18 Jan 2024, at 15:23, Cy Schubert <cy@FreeBSD.org> wrote: >>> >>> The branch main has been updated by cy: >>> >>> URL: https://cgit.FreeBSD.org/src/commit/?id=0990136ed1753ac7837206f9c5f4b83ccff6c405 >>> >>> commit 0990136ed1753ac7837206f9c5f4b83ccff6c405 >>> Author: Cy Schubert <cy@FreeBSD.org> >>> AuthorDate: 2024-01-18 08:22:20 +0000 >>> Commit: Cy Schubert <cy@FreeBSD.org> >>> CommitDate: 2024-01-18 15:12:14 +0000 >>> >>> kerberos5: Mitigate the possibility of using an old libcrypto >>> >>> By using the full library name (libcrypto.so.30) we avoid the exposure >>> of using an old, possibly vulnerable, library. >>> >>> Reported by: jrtc27 >>> MFC after: 3 days >>> X-MFC with: 476d63e091c2 >>> Fixes: 476d63e091c2 >>> --- >>> kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c >>> index 497b32124f96..2328041bc166 100644 >>> --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c >>> +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c >>> @@ -5,6 +5,7 @@ >>> #include <openssl/provider.h> >>> >>> #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) >>> +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30" >> >> This still assumes the native ABI is in use, i.e. doesn’t account for >> libcompat. Can we please just drop the directory, or if it’s really >> needed for some reason at least handle the libcompat case? > > Using relative paths might carry a potential security risk if the > LD_LIBRARY_PATH environment variable is set to an attacker-controlled > directory. That’s true for direct linking too, yet we don’t hard-code everything everywhere there. What’s special about dlopen? Jess