search

alexcrichton / openssl-src-rs

Source code and logic to build OpenSSL from source
Apache License 2.0
69 stars 114 forks source link

Dangerous prefix set #140

Closed Shortfinga closed 2 years ago

Shortfinga commented 2 years ago

Hi,

I just noticed in some binaries using your library that they are looking in some weird places for an openss.cnf. The weird places is usually a path used for building the binaries. So I dug a bit deeper and found this code:

    if host.contains("pc-windows-gnu") {
        configure.arg(&format!("--prefix={}", sanitize_sh(&install_dir)));
    } else {
        configure.arg(&format!("--prefix={}", install_dir.display()));
    }

https://github.com/alexcrichton/openssl-src-rs/blob/9f28b4c1d100bde2b79752d4518e102814f9ec39/src/lib.rs#L137

I created the folders and indeed the config is loaded (strace indicates so) but unfortunately (for me) I did not manage to exploit this. This path should be kept restricted as CVE-2019-1552 indicates. (https://www.openssl.org/news/secadv/20190730.txt) OpenSSL sets a good default unfortunately it is overwritten by the library. Could you drop that or offer a solution to set this to the OpenSSL default again?

Unfortunately I'm no rust dev so I cannot really test/debug stuff or even create a pull request. Anyways, thanks for looking into this!

alexcrichton commented 2 years ago

Thanks for pointing this out! I posted what I think should fix this in https://github.com/alexcrichton/openssl-src-rs/pull/141