on https sites, subresource certificates are not validated

Bug #1541109 reported by Ryan Castellucci
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Liferea
New
Undecided
Unassigned
Midori Web Browser
Fix Released
Undecided
Unassigned
Debian
Invalid
Undecided
Unassigned
epiphany-webkit (Ubuntu)
Confirmed
Undecided
Unassigned
midori (Ubuntu)
Confirmed
Undecided
Unassigned
surf (Ubuntu)
Fix Released
Undecided
Reiner Herrmann
webkitgtk (Ubuntu)
Confirmed
Undecided
Unassigned
xxxterm (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Midori will silently load content, including scripts, from servers with invalid certificates. This allows a MitM attacker to inject code into most web pages.

Further explanation and test case: https://rya.nc/https-script.html

Related branches

Revision history for this message
Usama Akkad (damascene) wrote :

tested with midori 0.5.11 on Ubuntu 16.04, the test case shows that the vulnerability is present

information type: Public → Public Security
Revision history for this message
Ryan Castellucci (eghjqanu6c) wrote :

also reported to be affected

Revision history for this message
Ryan Castellucci (eghjqanu6c) wrote :

verified on ubuntu 14.04

Revision history for this message
صفا الفليج (safaalfulaij) wrote :

Tested with ArchLinux and Midori is affected here.
Version info:
Midori 0.5.11 ((null)) Midori
GTK+ 3.18.2 (3.18.6) Glib 2.46.1 (2.46.2)
WebKitGTK+ 2.4.9 (2.4.9) libSoup 2.52.1
cairo 1.14.4 (1.14.6) libnotify No
gcr 3.18.0 granite No

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in epiphany-webkit (Ubuntu):
status: New → Confirmed
Changed in midori (Ubuntu):
status: New → Confirmed
Changed in surf (Ubuntu):
status: New → Confirmed
Changed in xxxterm (Ubuntu):
status: New → Confirmed
Changed in webkitgtk (Ubuntu):
status: New → Confirmed
Revision history for this message
Usama Akkad (damascene) wrote :

It might useful to note that there are similar security issues with all the packages that are using webkit1
some extra tests:
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.howsmyssl.com/

Revision history for this message
Usama Akkad (damascene) wrote :

Same bug is in Liferea news reader
https://github.com/lwindolf/liferea/issues/315

Cris Dywan (kalikiana)
Changed in midori:
milestone: none → 0.6.0
Reiner Herrmann (deki)
Changed in surf (Ubuntu):
assignee: nobody → Reiner Herrmann (deki)
status: Confirmed → Fix Committed
Revision history for this message
Mattia Rizzolo (mapreri) wrote :

the whole of Debian is not affected.
you should rather pin down single packages.

Changed in debian:
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package surf - 0.7-2

---------------
surf (0.7-2) unstable; urgency=low

  [ Reiner Herrmann ]
  * Bump Standards-Version to 3.9.8.
  * Use https in Vcs-Git.
  * Enable strict SSL to prevent MitM attacks. (LP: #1541109)

  [ Dmitry Bogatov ]
  * Honour HOME/USER variables while searching for home dir. (Closes: #825397)

 -- Reiner Herrmann <email address hidden> Sun, 29 May 2016 13:02:53 +0200

Changed in surf (Ubuntu):
status: Fix Committed → Fix Released
Cris Dywan (kalikiana)
Changed in midori:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.