Quantal software-properties incorrectly validating ssl certs

Bug #1036839 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre

Bug Description

The python3 migration of software-properties causes it to incorrectly validate ssl certificates, leading to a MITM being able to compromise a remote system. It basically reverts the fix for LP: 915210.

from softwareproperties/ppa.py:

<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
    try:
        lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
    except TypeError:
        lp_page = urllib2.urlopen(request)

When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

CVE-2011-4407 was fixed by migrating to pycurl:

http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/revision/738

The python3 port migrated it back to urllib, which is vulnerable:

http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/revision/759

tags: added: rls-q-incoming
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This new issue has been assigned CVE-2012-0955

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in software-properties (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-properties - 0.92

---------------
software-properties (0.92) quantal; urgency=low

  [ Robert Roth ]
  * lp:~evfool/software-properties/lp1030970 :
    - Fixed the source code checkbox and the submit statistics
      checkbox labels to be left-aligned instead of centered.
  * lp:~evfool/software-properties/lp997371:
    - support enabling a component via "apt-add-repository componentname"
      (e.g. "apt-add-repository multiverse") LP: #997371

  [ Mathieu Trudel-Lapierre ]
  * Reinstate pycurl to use for getting PPA information from Launchpad, since
    it can actually verify SSL certificates with python2. Also set
    LAUNCHPAD_PPA_CERT so that it's a valid path to the system CA certificates
    bundle to use for urllib and pycurl. (LP: #1036839)
    - CVE-2012-0955

  [ Gabor Kelemen ]
  * lp:~kelemeng/software-properties/bug1035544:
    - fix a bunch of missing i18n strings (LP: #1035544)

  [ Michael Vogt ]
  * lp:~mvo/software-properties/remove-popcon:
    - remove the "statistics" page as this is no longer used
      (LP: #1025436)
 -- Michael Vogt <email address hidden> Mon, 27 Aug 2012 09:56:47 +0200

Changed in software-properties (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.