ubuntu-sso-client doesn't validate ssl certificates

in the ubuntu_sso/gtk/gui.py file, it also uses webkit without setting the "ssl-strict" and "ssl-ca-file" properties, so it's not doing certificate checking in the webkit parts either.

This bug is embargoed and _must_ remain private until the security team sets a unembargo date. Please do not comment publically, or check code into public software repositories until then.

Here is an example script that shows how to do certificate validation with urllib2.

Here is a webkit example for oneiric+

Here is a webkit example for natty and older

This is a patch for lp:ubuntu-sso-client/stable-1-4 that adds a module with the same api that urllib2, but using pycurl and validating the SSL certificates.

This is a patch for lp:ubuntu-sso-client/stable-1-2

This is a patch for lp:ubuntu-sso-client/stable-1-0

Thanks for the patches, I'll work on security updates for this. Do not commit publically until the security updates have been published. Thanks!

This is CVE-2011-4408

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

This bug was fixed in the package ubuntu-sso-client - 1.4.1-0ubuntu1.1

---------------
ubuntu-sso-client (1.4.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882055)
    - debian/patches/CVE-2011-4408.patch: use pycurl instead of urllib2 in
      ubuntu_sso/account.py,
      ubuntu_sso/credentials.py,
      ubuntu_sso/tests/test_credentials.py,
      ubuntu_sso/utils/curllib.py,
      ubuntu_sso/utils/tests/test_curllib.py.
    - debian/control: add python-pycurl dependency.
    - CVE-2011-4408
 -- Marc Deslauriers <email address hidden> Fri, 25 May 2012 10:32:37 -0400

This bug was fixed in the package ubuntu-sso-client - 1.2.1-0ubuntu2.1

---------------
ubuntu-sso-client (1.2.1-0ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882055)
    - debian/patches/CVE-2011-4408.patch: use pycurl instead of urllib2 in
      ubuntu_sso/account.py,
      ubuntu_sso/credentials.py,
      ubuntu_sso/tests/test_credentials.py,
      ubuntu_sso/utils/curllib.py,
      ubuntu_sso/utils/tests/test_curllib.py.
    - debian/control: add python-pycurl dependency.
    - CVE-2011-4408
 -- Marc Deslauriers <email address hidden> Tue, 31 Jan 2012 14:01:31 -0500

This bug was fixed in the package ubuntu-sso-client - 3.99.0-0ubuntu1

---------------
ubuntu-sso-client (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Remove some code duplication in web client. (LP: #904842)
    - Handle starting with the -testsability argument. (LP: #984964)
    - Log more details for SSL validation failure. (LP: #987405)
    - Use the new dev-tools API in tests. (LP: #988809)
    - Use the network detection page before signup/login. (LP: #996025)
    - Fix size of password assistance label in reset dialog. (LP: #999885)
    - ubuntu-sso-login-qt crashed with TypeError in got_state. (LP: #1003692)
  * debian/control:
    - Update dependencies to allow running unit tests during build.
  * debian/patches:
    - Remove upstreamed patches.
  * debian/patches/00_bug711413.patch:
    - Trap DBusException when connecting to session bus. (LP: #711413)
  * debian/patches/01_bug882055.patch:
    - Tell libsoup to use strict ssl with system ca certs. (LP: #882055)
  * debian/rules:
    - Enable unit tests during build.
  * debian/watch:
    - Update to use stable-4-0 series for Quantal.
 -- Rodney Dawes <email address hidden> Fri, 15 Jun 2012 16:52:27 -0400

Hello Marc, or anyone else affected,

Accepted ubuntu-sso-client into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubuntu-sso-client/3.0.2-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!