Package: fort-validator | Debian Sources

Package: fort-validator / 1.5.4-1+deb12u1

Metadata

Package	Version	Patches format
fort-validator	1.5.4-1+deb12u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
paths \| (download)	man/fort.8 \| 18 9 + 9 - 0 ! src/config.c \| 2 1 + 1 - 0 ! 2 files changed, 10 insertions(+), 10 deletions(-)	---
documentation \| (download)	man/fort.8 \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	---
program_defaults \| (download)	src/config.c \| 11 9 + 2 - 0 ! 1 file changed, 9 insertions(+), 2 deletions(-)	---
CVE 2024 45234.patch \| (download)	src/object/certificate.c \| 86 51 + 35 - 0 ! 1 file changed, 51 insertions(+), 35 deletions(-)	prevent crash on ber-encoded signedattrs The code was assuming the object was DER-encoded, and the relevant integer was therefore in short form. Because I postponed the DER enforcement in deef7b7823f21914b17838f152a8bd510a348f54, the code should not make reckless assumptions about the signedAttrs encoding. Thanks to Niklas Vogel for reporting this.
CVE 2024 45235.patch \| (download)	src/extension.c \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	[patch] prevent crash on missing authority key identifier Another missing NULL check. Thanks to Niklas Vogel for reporting this.
CVE 2024 45236.patch \| (download)	src/asn1/signed_data.c \| 18 10 + 8 - 0 ! 1 file changed, 10 insertions(+), 8 deletions(-)	[patch] prevent crash on missing signedattrs Though RPKI enforces the presence of this field, it is very much optional in CMS. Also adds missing validation messages in relevant error paths. Thanks to Niklas Vogel for reporting this.
CVE 2024 45237.patch \| (download)	src/object/certificate.c \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	[patch] prevent crash on malformed key usage Key Usage bit strings longer than 2 bytes were inducing buffer overflow. Thanks to Niklas Vogel for reporting this.
CVE 2024 45238.patch \| (download)	src/object/certificate.c \| 7 6 + 1 - 0 ! 1 file changed, 6 insertions(+), 1 deletion(-)	[patch] prevent crash on malformed subjectpublickey A malformed subjectPublicKey causes X509_PUBKEY_get0() to return NULL. Fort wasn't catching this when linked specifically to OpenSSL < 3. Thanks to Niklas Vogel for reporting this.
CVE 2024 45239.patch \| (download)	src/asn1/decode.c \| 10 6 + 4 - 0 ! 1 file changed, 6 insertions(+), 4 deletions(-)	[patch] prevent crash on missing econtent Applies to the RouteOriginAttestation and Manifest octet strings. Thanks to Niklas Vogel for reporting this.
CVE 2024 48943.patch \| (download)	docs/usage.md \| 14 14 + 0 - 0 ! examples/config.json \| 1 1 + 0 - 0 ! man/fort.8 \| 12 12 + 0 - 0 ! src/config.c \| 16 16 + 0 - 0 ! src/config.h \| 1 1 + 0 - 0 ! src/rsync/rsync.c \| 181 129 + 52 - 0 ! test/Makefile.am \| 4 4 + 0 - 0 ! test/impersonator.c \| 6 6 + 0 - 0 ! test/rsync/rsync_test.c \| 339 339 + 0 - 0 ! 9 files changed, 522 insertions(+), 52 deletions(-)	[patch 1/7] introduce a rsync transfer timeout Default set to 900 (same as rpki-client) Fixes https://github.com/NICMx/FORT-validator/issues/74

1