From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 26 Apr 2022 12:40:24 +0200 Subject: [PATCH] c_rehash: Do not use shell to invoke openssl Except on VMS where it is safe. This fixes CVE-2022-1292. Reviewed-by: Matthias St. Pierre Reviewed-by: Matt Caswell diff -wpruN '--exclude=*.orig' a~/tools/c_rehash.in a/tools/c_rehash.in --- a~/tools/c_rehash.in 1970-01-01 00:00:00 +++ a/tools/c_rehash.in 1970-01-01 00:00:00 @@ -137,6 +137,23 @@ sub check_file { return ($is_cert, $is_crl); } +sub compute_hash { + my $fh; + if ( $^O eq "VMS" ) { + # VMS uses the open through shell + # The file names are safe there and list form is unsupported + if (!open($fh, "-|", join(' ', @_))) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } else { + if (!open($fh, "-|", @_)) { + print STDERR "Cannot compute hash on '$fname'\n"; + return; + } + } + return (<$fh>, <$fh>); +} # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists @@ -146,10 +163,12 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, + "-fingerprint", "-noout", + "-in", $fname); chomp $hash; chomp $fprint; + return if !$hash; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0; @@ -181,10 +200,12 @@ sub link_hash_cert { sub link_hash_crl { my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, + "-fingerprint", "-noout", + "-in", $fname); chomp $hash; chomp $fprint; + return if !$hash; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0;