alexcrichton/openssl-src-rs

Dangerous prefix set

Shortfinga opened this issue · 1 comments

Shortfinga commented

Hi,

I just noticed in some binaries using your library that they are looking in some weird places for an openss.cnf. The weird places is usually a path used for building the binaries. So I dug a bit deeper and found this code:

    if host.contains("pc-windows-gnu") {
        configure.arg(&format!("--prefix={}", sanitize_sh(&install_dir)));
    } else {
        configure.arg(&format!("--prefix={}", install_dir.display()));
    }

openssl-src-rs/src/lib.rs

Line 137 in 9f28b4c

if host.contains("pc-windows-gnu") {

I created the folders and indeed the config is loaded (strace indicates so) but unfortunately (for me) I did not manage to exploit this. This path should be kept restricted as CVE-2019-1552 indicates. (https://www.openssl.org/news/secadv/20190730.txt) OpenSSL sets a good default unfortunately it is overwritten by the library.
Could you drop that or offer a solution to set this to the OpenSSL default again?

Unfortunately I'm no rust dev so I cannot really test/debug stuff or even create a pull request. Anyways, thanks for looking into this!

alexcrichton commented

Thanks for pointing this out! I posted what I think should fix this in #141