Ubuntu
axel package

axel tries to download HTTPS URLs via HTTP (including credentials)

Bug #1761492 reported by Andreas 'count' Kotes
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
axel (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

When trying to download something via https:// using Axel 2.5 (as given in xenial), axel tries to download via port 80, passing in all additional headers (Authorization) etc in the clear.

Adding the port :443 explicitly makes it fail (as no SSL handshake is done).

Steps to reproduce:

$ COLUMNS=80 dpkg -l axel
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii axel 2.5-2 amd64 light command line download accel
$ strace -e connect axel -q -H 'Authorization: Bearer thisisveryconfidential' https://www.example.com/ 2>&1 | grep -v 'AF_LOCAL' | grep -v 'htons(53)'
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("93.184.216.34")}, 16) = 0
connect(4, {sa_family=AF_INET6, sin6_port=htons(80), inet_pton(AF_INET6, "2606:2800:220:1:248:1893:25c8:1946", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)
connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("93.184.216.34")}, 16) = 0
+++ exited with 0 +++

2.13 (as given in artful) no longer has this problem:

$ COLUMNS=80 dpkg -l axel
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii axel 2.13.1-1 amd64 light command line download accel
$ strace -e connect axel -q -H 'Authorization: Bearer thisisveryconfidential' https://www.example.com/ 2>&1 | grep -v 'AF_LOCAL' | grep -v 'htons(53)'
connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("93.184.216.34")}, 16) = 0
connect(4, {sa_family=AF_INET6, sin6_port=htons(443), inet_pton(AF_INET6, "2606:2800:220:1:248:1893:25c8:1946", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)
connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("93.184.216.34")}, 16) = 0
+++ exited with 0 +++

Please arrange a security update.

Andreas 'count' Kotes (berlincount)
information type: Private Security → Public Security
Revision history for this message
Andreas 'count' Kotes (berlincount) wrote :

Had a look at the code:

[..]
if( set_url[0] == 'f' )
  conn->proto = PROTO_FTP; else if( set_url[0] == 'h' )
  conn->proto = PROTO_HTTP;
[..]

and

[..]
if( conn->proto == PROTO_FTP )
  serv = getservbyname( "ftp", "tcp" ); else
  serv = getservbyname( "www", "tcp" );
[..]

or, on Darwin:

[..]
if( conn->proto == PROTO_HTTP )
  conn->port = 80; else
  conn->port = 21;
[..]

m( m( m(

This was not fixed at all before 2.10.

Ouch.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in axel (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for axel (Ubuntu) because there has been no activity for 60 days.]

Changed in axel (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.