urllib https implementation does not verify ssl certificates

Bug #651161 reported by dave b. on 2010-09-29
270
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Bazaar
High
Jelmer Vernooij
bzr (Debian)
Fix Released
Unknown
bzr (Ubuntu)
High
Jelmer Vernooij

Bug Description

Because pycurl isn't a dependency only a "suggestion" it will not be installed with bzr on ubuntu.
This is bad because the https implementation is broken as per bug http://bugs.python.org/issue1589
as bzr seems not to verify the common name (etc.) --> (see http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/annotate/head%3A/bzrlib/transport/http/_urllib2_wrappers.py)

So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM bzr by default - as pycurl isn't a dep. Iff pycurl is installed you are not vulnerable.
Please let me know if I am wrong :)

Related branches

dave b. (d+b) on 2010-09-29
visibility: private → public

By this logic we should

1- require pycurl on Ubuntu
2- give some kind of user warning or opt-in before using non-pycurl
https to cover other platforms

or if it is feasible, verify the CN ourselves?

What do you think, Vincent?
--
Martin

First:
- pycurl is still the default https implementation used if it is installed,
- users concerned with security are better served by using ssh and signing their revisions.

That being said, I suspect the more likely potential victims may not be aware of the problem at all and may not install pycurl nor use ssh nor sign their revisions.

Now, setting up a mitm attacjk alone is not enough, you also need to inject malicious code in a repo while still faking the signatures and sha1 associated with the revisions and that nobody check the code nor inspect the merge results.

That sill leave a narrow window for people not signing and I'm not sure we check the sha1 in all scenarios either.

But given the work involved on our side to even diagnose if such an attack is feasible, I think we should just implement https support properly for our urllib-based implementation.

I think most of our users are using python2.6 now, so supporting 2.4 and 2.5 is less concerning than it was last time I worked on the subject.

Vincent Ladeuil (vila) on 2010-10-04
Changed in bzr:
status: New → Confirmed
importance: Undecided → Medium
dave b. (d+b) wrote :

The hg guys fixed this ... perhaps you could do what they do. (also see the python bug for the new ssl methods that now exist in 3.2)
Simply dropping the non-pycurl method maybe a good idea ? / adding a warning to the non-pycurl version.
So by default on ubuntu pycurl seems to be installed but on other distributions this may not be the case.

Jelmer Vernooij (jelmer) on 2011-02-01
tags: added: https pycurl
Jelmer Vernooij (jelmer) on 2011-03-07
Changed in bzr (Ubuntu):
status: New → Confirmed
Changed in bzr (Debian):
status: Unknown → New
Jelmer Vernooij (jelmer) wrote :

Shouldn't this be possible now with the ssl module in python 2.7?

Changed in bzr (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Jelmer Vernooij (jelmer) on 2011-11-24
Changed in bzr:
status: Confirmed → In Progress
assignee: nobody → Jelmer Vernooij (jelmer)
importance: Medium → High
Jelmer Vernooij (jelmer) on 2011-12-20
summary: - bzr fails to verify ssl validity in https connections - by default -->
- as pycurl isn't a dep only a suggestion
+ urllib https implementation does not verify ssl certificates
Changed in bzr (Ubuntu):
assignee: nobody → Jelmer Vernooij (jelmer)
Changed in bzr (Debian):
status: New → Confirmed
Jelmer Vernooij (jelmer) on 2012-01-05
Changed in bzr:
milestone: none → 2.5b5
Jelmer Vernooij (jelmer) on 2012-01-07
Changed in bzr (Ubuntu):
status: Triaged → In Progress
Vincent Ladeuil (vila) on 2012-01-12
Changed in bzr:
milestone: 2.5b5 → none
Vincent Ladeuil (vila) on 2012-01-20
Changed in bzr:
milestone: none → 2.5.0
status: In Progress → Fix Released
Changed in bzr (Debian):
status: Confirmed → Fix Released
Vincent Ladeuil (vila) on 2012-01-31
Changed in bzr:
milestone: 2.5.0 → 2.5b6
Jelmer Vernooij (jelmer) on 2012-04-08
Changed in bzr (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.