On Thu, Jan 18, 2024 at 05:29:47PM +0000, Jessica Clarke wrote: > On 18 Jan 2024, at 15:23, Cy Schubert <c...@freebsd.org> wrote: > > > > The branch main has been updated by cy: > > > > URL: > > https://cgit.FreeBSD.org/src/commit/?id=0990136ed1753ac7837206f9c5f4b83ccff6c405 > > > > commit 0990136ed1753ac7837206f9c5f4b83ccff6c405 > > Author: Cy Schubert <c...@freebsd.org> > > AuthorDate: 2024-01-18 08:22:20 +0000 > > Commit: Cy Schubert <c...@freebsd.org> > > CommitDate: 2024-01-18 15:12:14 +0000 > > > > kerberos5: Mitigate the possibility of using an old libcrypto > > > > By using the full library name (libcrypto.so.30) we avoid the exposure > > of using an old, possibly vulnerable, library. > > > > Reported by: jrtc27 > > MFC after: 3 days > > X-MFC with: 476d63e091c2 > > Fixes: 476d63e091c2 > > --- > > kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > > b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > > index 497b32124f96..2328041bc166 100644 > > --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > > +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c > > @@ -5,6 +5,7 @@ > > #include <openssl/provider.h> > > > > #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) > > +#define CRYPTO_LIBRARY "/lib/libcrypto.so.30" > > This still assumes the native ABI is in use, i.e. doesn’t account for > libcompat. Can we please just drop the directory, or if it’s really > needed for some reason at least handle the libcompat case?
Using relative paths might carry a potential security risk if the LD_LIBRARY_PATH environment variable is set to an attacker-controlled directory. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
