Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto

Reply: Shawn Webb : "Re: git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto"
In reply to: Cy Schubert : "git: 0990136ed175 - main - kerberos5: Mitigate the possibility of using an old libcrypto"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jessica Clarke <jrtc27_at_freebsd.org>
Date: Thu, 18 Jan 2024 17:29:47 UTC

On 18 Jan 2024, at 15:23, Cy Schubert <cy@FreeBSD.org> wrote:
> 
> The branch main has been updated by cy:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=0990136ed1753ac7837206f9c5f4b83ccff6c405
> 
> commit 0990136ed1753ac7837206f9c5f4b83ccff6c405
> Author:     Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2024-01-18 08:22:20 +0000
> Commit:     Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2024-01-18 15:12:14 +0000
> 
>    kerberos5: Mitigate the possibility of using an old libcrypto
> 
>    By using the full library name (libcrypto.so.30) we avoid the exposure
>    of using an old, possibly vulnerable, library.
> 
>    Reported by:            jrtc27
>    MFC after:              3 days
>    X-MFC with:             476d63e091c2
>    Fixes:                  476d63e091c2
> ---
> kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> index 497b32124f96..2328041bc166 100644
> --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
> @@ -5,6 +5,7 @@
> #include <openssl/provider.h>
> 
> #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30"

This still assumes the native ABI is in use, i.e. doesn’t account for
libcompat. Can we please just drop the directory, or if it’s really
needed for some reason at least handle the libcompat case?

Jess

> static void fbsd_ossl_provider_unload(void);
> static void print_dlerror(char *);
> static OSSL_PROVIDER *legacy;
> @@ -46,7 +47,7 @@ fbsd_ossl_provider_load(void)
> {
> #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
> if (crypto_lib_handle == NULL) {
> - if (!(crypto_lib_handle = dlopen("/usr/lib/libcrypto.so",
> + if (!(crypto_lib_handle = dlopen(CRYPTO_LIBRARY,
>    RTLD_LAZY|RTLD_GLOBAL))) {
> print_dlerror("Unable to load libcrypto.so");
> return (EINVAL);