on https sites, subresource certificates are not validated

Bug #1541109 reported by Ryan Castellucci on 2016-02-02
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Liferea
New
Undecided
Unassigned
Midori Web Browser
Fix Released
Undecided
Unassigned
Debian
Invalid
Undecided
Unassigned
epiphany-webkit (Ubuntu)
Undecided
Unassigned
midori (Ubuntu)
Undecided
Unassigned
surf (Ubuntu)
Undecided
Reiner Herrmann
webkitgtk (Ubuntu)
Undecided
Unassigned
xxxterm (Ubuntu)
Undecided
Unassigned

Bug Description

Midori will silently load content, including scripts, from servers with invalid certificates. This allows a MitM attacker to inject code into most web pages.

Further explanation and test case: https://rya.nc/https-script.html

Related branches

Usama Akkad (damascene) wrote :

tested with midori 0.5.11 on Ubuntu 16.04, the test case shows that the vulnerability is present

information type: Public → Public Security
Ryan Castellucci (eghjqanu6c) wrote :

also reported to be affected

Ryan Castellucci (eghjqanu6c) wrote :

verified on ubuntu 14.04

Tested with ArchLinux and Midori is affected here.
Version info:
Midori 0.5.11 ((null)) Midori
GTK+ 3.18.2 (3.18.6) Glib 2.46.1 (2.46.2)
WebKitGTK+ 2.4.9 (2.4.9) libSoup 2.52.1
cairo 1.14.4 (1.14.6) libnotify No
gcr 3.18.0 granite No

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in epiphany-webkit (Ubuntu):
status: New → Confirmed
Changed in midori (Ubuntu):
status: New → Confirmed
Changed in surf (Ubuntu):
status: New → Confirmed
Changed in xxxterm (Ubuntu):
status: New → Confirmed
Changed in webkitgtk (Ubuntu):
status: New → Confirmed
Usama Akkad (damascene) wrote :

It might useful to note that there are similar security issues with all the packages that are using webkit1
some extra tests:
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.howsmyssl.com/

Usama Akkad (damascene) wrote :

Same bug is in Liferea news reader
https://github.com/lwindolf/liferea/issues/315

Changed in midori:
milestone: none → 0.6.0
Reiner Herrmann (deki) on 2016-05-29
Changed in surf (Ubuntu):
assignee: nobody → Reiner Herrmann (deki)
status: Confirmed → Fix Committed
Mattia Rizzolo (mapreri) wrote :

the whole of Debian is not affected.
you should rather pin down single packages.

Changed in debian:
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package surf - 0.7-2

---------------
surf (0.7-2) unstable; urgency=low

  [ Reiner Herrmann ]
  * Bump Standards-Version to 3.9.8.
  * Use https in Vcs-Git.
  * Enable strict SSL to prevent MitM attacks. (LP: #1541109)

  [ Dmitry Bogatov ]
  * Honour HOME/USER variables while searching for home dir. (Closes: #825397)

 -- Reiner Herrmann <email address hidden> Sun, 29 May 2016 13:02:53 +0200

Changed in surf (Ubuntu):
status: Fix Committed → Fix Released
Changed in midori:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers