in apt-https Verify-Peer does not fail a connection on error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned | ||
Maverick |
Fix Released
|
High
|
Unassigned |
Bug Description
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Package: apt-transport-https (0.7.25.3ubuntu9.7)
I have enabled Verify-Peer in the https options for apt. The debug reads as follows:
Trying 192.168.234.53... connected
Connected to 192.168.234.53 (192.168.234.53) port 443 (#0)
found 149 certificates in /etc/ssl/
SSL re-using session ID
server certificate verification OK
common name: 127.0.0.1 (does not match '192.168.234.53')
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #3
subject: CN=127.0.0.1
start date: Fri, 30 Sep 2011 14:55:55 GMT
expire date: Sun, 29 Sep 2013 14:55:55 GMT
When checking the source I can see, that the following code is executed:
// ... and hostname against cert CN or subjectAltName
int default_verify = 2;
bool verify = _config-
knob = "Acquire:
verify = _config-
if (!verify)
default_
curl_
According to documentation the CURLOPT_
The variable "default_verify" is set to 2 or 0 in the above code, but is not used. Instead the boolean variable "verify" is used in the call to set CURLOPT_
Probably the default_verify should be used in this call.
As the connection is not failed (but only logged), this might result in an connection to an unwanted host, thus the security vulnerability.
CVE References
Changed in apt (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in apt (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in apt (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in apt (Ubuntu Maverick): | |
status: | New → In Progress |
Changed in apt (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in apt (Ubuntu Maverick): | |
importance: | Undecided → High |
Michael, could you please confirm this? Thanks.