[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

[tickets]

Issue #15561 has been updated by Dustin Mitchell.


OpenSSL *requires* a slash in the subject:

    [root@relabs07 ssl-master]#  openssl req  -new -newkey rsa:2048 -keyout 
ca/ca_key.pem    -days 3650 -x509 -out ca/ca_crt.pem    -subj 'foo'
    Generating a 2048 bit RSA private key
    
..............................................................................+++
    
...........................................................................................................................................................................................................................................................+++
    writing new private key to 'ca/ca_key.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    Subject does not start with '/'.
    problems making Certificate Request

so, .. yeah.  I'm working on a version of 3.0.2 with 
https://github.com/puppetlabs/puppet/pull/1101 patched in, since that seems the 
only way to make this work.

Yuri, can you explain a bit more how your patch works, and make a pull request 
for it, attached here?
----------------------------------------
Bug #15561: Fix for CVE-2012-3867 is too restrictive
https://projects.puppetlabs.com/issues/15561#change-80050

Author: Dustin Mitchell
Status: Accepted
Priority: Urgent
Assignee: 
Category: SSL
Target version: 2.7.x
Affected Puppet version: 2.7.18
Keywords: certificate
Branch: https://github.com/puppetlabs/puppet/pull/1101


The fix for CVE-2012-3867 involves checking certificate subjects for "weird" 
characters.  From my read of the CVE entry, this is to filter out characters 
that would cause the name to display in a manner visually indistinguishable 
from a valid hostname.

However, the check is too restrictive:

Could not retrieve catalog from remote server: Certname "puppetagain base 
ca/emailaddress=rele...@mozilla.com/ou=release engineering/o=mozilla, inc." 
must not contain unprintable or non-ASCII characters

In particular, / is a very common character in subjects, and should be allowed. 
 Puppet is seeing this subject on my base CA - I'm using certificate chaining.

The fix is one character, so I haven't included a patch, but I'm happy to make 
a pull req if necessary.

Another fix would be to only verify certificate subjects for the leaf 
certificate, and not any of the certs in its signing chain, but that seems less 
secure.

It's also worth noting that the regex is overly broad, since it downcases the 
string, then accepts A-Z among other characters.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.