Dangerous prefix set #140
Comments
|
Thanks for pointing this out! I posted what I think should fix this in #141 |
LarsMichelsen
pushed a commit
to Checkmk/checkmk
that referenced
this issue
Jun 8, 2022
We need to update openssl-src to remove this vulnerability: alexcrichton/openssl-src-rs#140 This was also found in the pentest 1/2022. CMK-10324 Change-Id: Ia1abe2484bd17f22bb88a8752915c3b9fe89220f
LarsMichelsen
pushed a commit
to Checkmk/checkmk
that referenced
this issue
Jun 8, 2022
We need to update openssl-src to remove this vulnerability: alexcrichton/openssl-src-rs#140 This was also found in the pentest 1/2022. CMK-10324 Change-Id: Ia1abe2484bd17f22bb88a8752915c3b9fe89220f
neuronull
added a commit
to vectordotdev/openssl-src-rs
that referenced
this issue
Jul 19, 2022
* only build necessary target (alexcrichton#43) * Bump to 111.6.1+1.1.1d * Update checkout actions reference * Fixed apparent typo in the readme (alexcrichton#46) * Work around upstream cargo issues * Add handling for target riscv64gc-unknown-linux-gnu (alexcrichton#48) * Disable asmjs for now * Allow to specify custom path for Perl (alexcrichton#49) * Allow to specify custom path for Perl Env var OPENSSL_SRC_PERL can be set to specify a path to the perl binary to use to call the openssl perl scripts. Resolves alexcrichton#45 * Fallback to PERL env var if OPENSSL_SRC_PERL is not set * Add support for non-x86 archs on FreeBSD (alexcrichton#50) Caused by: process didn't exit successfully: `.../rust-bootstrap/work-aarch64/rustc-1.40.0-src/build/x86_64-unknown-freebsd/stage1-tools/release/build/openssl-sys-4b2d35028bf73953/build-script-main` (exit code: 101) --- stdout cargo:rustc-cfg=const_fn --- stderr thread 'main' panicked at 'don't know how to configure OpenSSL for aarch64-unknown-freebsd', .../rust-bootstrap/work-aarch64/rustc-1.40.0-src/vendor/openssl-src/src/lib.rs:178:18 * Update CI installation of Rust on macos~ * support for illumos systems (alexcrichton#52) Resolves alexcrichton#51 * More comment out of asmjs * Use gmake by default on all DragonFlyBSD, FreeBSD or Solaris targets (alexcrichton#53) * Bump to 1.1.1e (alexcrichton#54) * Add support for illumos triple (alexcrichton#56) * Bump to 1.1.1f (alexcrichton#58) * Release 111.8.1+1.1.1f * Bump to 1.1.1g * Do not overwrite AR and RANLIB env vars if set (alexcrichton#62) * Add engine support for linux-gnu (alexcrichton#63) * add engine support for linux-gnu Signed-off-by: Xintao <[email protected]> * address comment Signed-off-by: Xintao <[email protected]> * add blacklist os Signed-off-by: Xintao <[email protected]> * add blacklist os Signed-off-by: Xintao <[email protected]> * To check CI build info Signed-off-by: Xintao <[email protected]> * add comments Signed-off-by: Xintao <[email protected]> * Bump to 111.10.0+1.1.1g * Fix build on macOS with latest cc crate (alexcrichton#67) cc v1.0.58 broke the macOS build by including the "-arch" flag in the default set of compiler flags. Strip it out, like we do for iOS targets. Closes alexcrichton#66. * Bump to 111.10.1+1.1.1g * add optional features for less used algorithms (alexcrichton#68) This commit disables by default a few of the weaker cryptographical algorithms into a "weak-crypto" feature as well as some of the less used algorithms into their own specific features. These algorithms are not directly exposed through the rust-openssl crate. The compilation of these can be re-enabled by selecting the desired features. This should slightly reduce build time and library size. Signed-off-by: Petre Eftime <[email protected]> * Bump to 111.10.2+1.1.1g * Bump to 1.1.1h (alexcrichton#73) * Add FreeBSD powerpc64le support (alexcrichton#75) FreeBSD PowerPC64LE is a new target. This is needed to cross-build cargo. * Add upstream patch to allow building on aarch64-apple-darwin (alexcrichton#74) * Use fs module convenience methods for MUSL patch * Add upstream patch to allow building on aarch64-apple-darwin Closes alexcrichton#72 * i586 support (alexcrichton#76) * Bump to 111.12.0+1.1.1h * Add aarch64-apple-darwin to CI (alexcrichton#77) * OpenBSD support (alexcrichton#78) * Update OpenSSL to 1.1.1i * Update CI * Remove now no-longer-necessary patches * Support targets `armv7-unknown-linux-gnueabi/musleabi` (alexcrichton#80) Support targets `armv7-unknown-linux-gnueabi` & `armv7-unknown-linux-musleabi` * Make it compile for wasm32-wasi (alexcrichton#81) * Catch more failures on Windows in CI (alexcrichton#84) * Catch more failures on Windows in CI * Link missing library for OpenSSL on MSVC Looks like some functions may pull in user32 functions, so that library needs to be linked. * Try to fix msvc +crt-static builds * Try to see all failures * More output * Fix setting crt-static * More CI tweaks * Add the bin dir to cargo's search path on MSVC That's where it contains the actual dlls needed at runtime * Moved "no-shared" so that also windows statically link to the libraries (alexcrichton#83) * Moved "no-shared" so that windows statically link to the libraries * try reapplying changes * removed shared as it's always false. Co-authored-by: molleafauss <[email protected]> * Bump to OpenSSL 1.1.1j (alexcrichton#85) * add nasm support for msvc (alexcrichton#87) * add nasm support for windows-msvc This will automatically detect whether nasm.exe is installed and try to enable the assembly language routines. These can also be disabled by set the `OPENSSL_RUST_NO_NASM` environment variable to a non-zero value. * don't use '>> $GITHUB_ENV' to overwrite PATH * remove the windows check in CI * give user more control on the env var * add env var in CI, less acceptable values for env var * fix path format for using bash on windows * 'OPENSSL_RUST_USE_NASM' env var only accept 0 or 1 * Bump to 1.1.1k * Add FreeBSD powerpc support (alexcrichton#90) This is needed to support cargo cross-build for 32-bit powerpc on FreeBSD. * Upgrade to GitHub-native Dependabot (alexcrichton#92) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Support targets `armv5te-unknown-linux-gnueabi/musleabi` (alexcrichton#94) * Support targets `popwerpc64(le)-unknown-linux-musl` (alexcrichton#95) * Support targets `mips64(el)-unknown-linux-muslabi64` (alexcrichton#96) * Support target `s390x-unknown-linux-musl` (alexcrichton#97) * Bump to openssl 1.1.1l (alexcrichton#100) * Bump to 1.1.1m * test on 1.1.1 branch * Fix aarch64-apple-darwin CI (alexcrichton#116) (cherry picked from commit 466ffd2) * Bump to 1.1.1n (alexcrichton#123) * Update "old" windows image on CI (alexcrichton#126) * Bump to 1.1.1o (alexcrichton#136) * Bump to 1.1.1o * Disable arm-linux-androideabi test * Backport wycheproof exclude to 1.1.1 branch (alexcrichton#139) * Backport wycheproof exclude to 1.1.1 branch * Backport exclude CI checks * Backport exclude CI checks * Configure `--openssldir` to its default location (alexcrichton#141) (alexcrichton#142) As pointed out in alexcrichton#140 otherwise certificates and configure is by default looked up in the directory of the build machine itself which is often a writable path. Instead switch the configuration option back to the default recommended in openssl's `INSTALL.md` Closes alexcrichton#140 * Bump to 111.20.0+1.1.1o (alexcrichton#143) * Bump to 1.1.1p (alexcrichton#145) * Bump to 1.1.1q (alexcrichton#147) Co-authored-by: Jay <[email protected]> Co-authored-by: Alex Crichton <[email protected]> Co-authored-by: Alex Gaynor <[email protected]> Co-authored-by: msizanoen1 <[email protected]> Co-authored-by: Franck Royer <[email protected]> Co-authored-by: Tobias Kortkamp <[email protected]> Co-authored-by: Joshua M. Clulow <[email protected]> Co-authored-by: MikaelUrankar <[email protected]> Co-authored-by: Steven Fackler <[email protected]> Co-authored-by: Patrick Mooney <[email protected]> Co-authored-by: Steven Fackler <[email protected]> Co-authored-by: James McMurray <[email protected]> Co-authored-by: Xintao <[email protected]> Co-authored-by: Nikhil Benesch <[email protected]> Co-authored-by: petreeftime <[email protected]> Co-authored-by: Brandon Bergren <[email protected]> Co-authored-by: Jake Goulding <[email protected]> Co-authored-by: Will <[email protected]> Co-authored-by: Jake Goulding <[email protected]> Co-authored-by: kiron1 <[email protected]> Co-authored-by: IceCodeNew <[email protected]> Co-authored-by: Pierre Krieger <[email protected]> Co-authored-by: Alex Malgaroli <[email protected]> Co-authored-by: molleafauss <[email protected]> Co-authored-by: Kane <[email protected]> Co-authored-by: Brandon Bergren <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: messense <[email protected]> Co-authored-by: Alexis Mousset <[email protected]> Co-authored-by: Eric Huss <[email protected]> Co-authored-by: Alexis Mousset <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I just noticed in some binaries using your library that they are looking in some weird places for an openss.cnf. The weird places is usually a path used for building the binaries. So I dug a bit deeper and found this code:
openssl-src-rs/src/lib.rs
Line 137 in 9f28b4c
I created the folders and indeed the config is loaded (strace indicates so) but unfortunately (for me) I did not manage to exploit this. This path should be kept restricted as CVE-2019-1552 indicates. (https://www.openssl.org/news/secadv/20190730.txt) OpenSSL sets a good default unfortunately it is overwritten by the library.
Could you drop that or offer a solution to set this to the OpenSSL default again?
Unfortunately I'm no rust dev so I cannot really test/debug stuff or even create a pull request. Anyways, thanks for looking into this!
The text was updated successfully, but these errors were encountered: