Bazaar

urllib https implementation does not verify ssl certificates

Bug #651161 reported by dave b.
270
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
High
Jelmer Vernooij
Bazaar 2.5b6
bzr (Debian)
Fix Released
Unknown
bzr (Ubuntu)
Fix Released
High
Jelmer Vernooij

Bug Description

Because pycurl isn't a dependency only a "suggestion" it will not be installed with bzr on ubuntu.
This is bad because the https implementation is broken as per bug http://bugs.python.org/issue1589
as bzr seems not to verify the common name (etc.) --> (see http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/annotate/head%3A/bzrlib/transport/http/_urllib2_wrappers.py)

So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM bzr by default - as pycurl isn't a dep. Iff pycurl is installed you are not vulnerable.
Please let me know if I am wrong :)

Tags: https pycurl

Related branches

lp:~jelmer/bzr/urllib-verifies-ssl-certs
Merged into lp:bzr
Vincent Ladeuil: Needs Fixing
Martin Packman (community): Approve
Diff: 441 lines (+293/-18)
9 files modified
bzrlib/config.py (+7/-0)
bzrlib/errors.py (+8/-0)
bzrlib/tests/__init__.py (+1/-0)
bzrlib/tests/test_http.py (+0/-1)
bzrlib/tests/test_https_urllib.py (+109/-0)
bzrlib/transport/__init__.py (+3/-3)
bzrlib/transport/http/_urllib2_wrappers.py (+142/-14)
doc/en/release-notes/bzr-2.5.txt (+6/-0)
doc/en/whats-new/whats-new-in-2.5.txt (+17/-0)
lp:ubuntu/precise/bzr
dave b. (d+b)
visibility: private → public
Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 651161] [NEW] bzr fails to verify ssl validity in https connections - by default --> as pycurl isn't a dep only a suggestion

By this logic we should

1- require pycurl on Ubuntu
2- give some kind of user warning or opt-in before using non-pycurl
https to cover other platforms

or if it is feasible, verify the CN ourselves?

What do you think, Vincent?
--
Martin

Revision history for this message
Vincent Ladeuil (vila) wrote : Re: bzr fails to verify ssl validity in https connections - by default --> as pycurl isn't a dep only a suggestion

First:
- pycurl is still the default https implementation used if it is installed,
- users concerned with security are better served by using ssh and signing their revisions.

That being said, I suspect the more likely potential victims may not be aware of the problem at all and may not install pycurl nor use ssh nor sign their revisions.

Now, setting up a mitm attacjk alone is not enough, you also need to inject malicious code in a repo while still faking the signatures and sha1 associated with the revisions and that nobody check the code nor inspect the merge results.

That sill leave a narrow window for people not signing and I'm not sure we check the sha1 in all scenarios either.

But given the work involved on our side to even diagnose if such an attack is feasible, I think we should just implement https support properly for our urllib-based implementation.

I think most of our users are using python2.6 now, so supporting 2.4 and 2.5 is less concerning than it was last time I worked on the subject.

Vincent Ladeuil (vila)
Changed in bzr:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
dave b. (d+b) wrote :

The hg guys fixed this ... perhaps you could do what they do. (also see the python bug for the new ssl methods that now exist in 3.2)
Simply dropping the non-pycurl method maybe a good idea ? / adding a warning to the non-pycurl version.
So by default on ubuntu pycurl seems to be installed but on other distributions this may not be the case.

Jelmer Vernooij (jelmer)
tags: added: https pycurl
Jelmer Vernooij (jelmer)
Changed in bzr (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in bzr (Debian):
status: Unknown → New
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Shouldn't this be possible now with the ssl module in python 2.7?

Changed in bzr (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Jelmer Vernooij (jelmer)
Changed in bzr:
status: Confirmed → In Progress
assignee: nobody → Jelmer Vernooij (jelmer)
importance: Medium → High
Jelmer Vernooij (jelmer)
summary: - bzr fails to verify ssl validity in https connections - by default -->
- as pycurl isn't a dep only a suggestion
+ urllib https implementation does not verify ssl certificates
Changed in bzr (Ubuntu):
assignee: nobody → Jelmer Vernooij (jelmer)
Bug Watch Updater (bug-watch-updater)
Changed in bzr (Debian):
status: New → Confirmed
Jelmer Vernooij (jelmer)
Changed in bzr:
milestone: none → 2.5b5
Jelmer Vernooij (jelmer)
Changed in bzr (Ubuntu):
status: Triaged → In Progress
Vincent Ladeuil (vila)
Changed in bzr:
milestone: 2.5b5 → none
Vincent Ladeuil (vila)
Changed in bzr:
milestone: none → 2.5.0
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in bzr (Debian):
status: Confirmed → Fix Released
Vincent Ladeuil (vila)
Changed in bzr:
milestone: 2.5.0 → 2.5b6
Jelmer Vernooij (jelmer)
Changed in bzr (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.