in apt-https Verify-Peer does not fail a connection on error

Bug #868353 reported by Blackmoon on 2011-10-05
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
High
Unassigned
Lucid
High
Unassigned
Maverick
High
Unassigned

Bug Description

Description: Ubuntu 10.04.3 LTS
Release: 10.04
Package: apt-transport-https (0.7.25.3ubuntu9.7)

I have enabled Verify-Peer in the https options for apt. The debug reads as follows:

Trying 192.168.234.53... connected
  Connected to 192.168.234.53 (192.168.234.53) port 443 (#0)
 found 149 certificates in /etc/ssl/certs/ca-certificates.crt
 SSL re-using session ID
        server certificate verification OK
        common name: 127.0.0.1 (does not match '192.168.234.53')
        server certificate expiration date OK
        server certificate activation date OK
        certificate public key: RSA
        certificate version: #3
        subject: CN=127.0.0.1
        start date: Fri, 30 Sep 2011 14:55:55 GMT
        expire date: Sun, 29 Sep 2013 14:55:55 GMT

When checking the source I can see, that the following code is executed:

   // ... and hostname against cert CN or subjectAltName
   int default_verify = 2;
   bool verify = _config->FindB("Acquire::https::Verify-Host",true);
   knob = "Acquire::https::"+remotehost+"::Verify-Host";
   verify = _config->FindB(knob.c_str(),verify);
   if (!verify)
      default_verify = 0;
   curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);

According to documentation the CURLOPT_SSL_VERIFYHOST accepts the values 0, 1 and 2. The value 1 is not recommended, as it flags the non-matching hostname, but does not fail the connection.
The variable "default_verify" is set to 2 or 0 in the above code, but is not used. Instead the boolean variable "verify" is used in the call to set CURLOPT_SSL_VERIFYHOST.

Probably the default_verify should be used in this call.

As the connection is not failed (but only logged), this might result in an connection to an unwanted host, thus the security vulnerability.

Marc Deslauriers (mdeslaur) wrote :

Michael, could you please confirm this? Thanks.

David Kalnischkies (donkult) wrote :

Michael, i have no time yet as i am in the university, but it should be fixed in APT 0.8.11 (rev 2053.1.28 in debian-sid), so more recent ubuntu versions should be fixed, too. Don't know about security implications of that yet, but lets me add that 'debian squeeze' is effected as we ship 0.8.10 in that.

Michael Vogt (mvo) on 2011-10-17
Changed in apt (Ubuntu):
status: New → In Progress
importance: Undecided → High
Michael Vogt (mvo) on 2011-10-17
Changed in apt (Ubuntu):
status: In Progress → Fix Released
Changed in apt (Ubuntu Lucid):
status: New → In Progress
Changed in apt (Ubuntu Maverick):
status: New → In Progress
Changed in apt (Ubuntu Lucid):
importance: Undecided → High
Changed in apt (Ubuntu Maverick):
importance: Undecided → High
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :

This will need coordination with debian too as squeeze is affected. The diffs will apply cleanly there.

Marc Deslauriers (mdeslaur) wrote :

Since the commit that fixes this issue is already public, I am marking this bug public also.

visibility: private → public
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.3ubuntu7.3

---------------
apt (0.8.3ubuntu7.3) maverick-security; urgency=low

  * SECURITY UPDATE: sensitive information disclosure via incorrect
    hostname validation (LP: #868353)
    - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
    - CVE-2011-3634
  * SECURITY UPDATE: Restore apt-ket net-update functionality (LP: #857472)
    - cmdline/apt-key: improve key validation.
 -- Marc Deslauriers <email address hidden> Tue, 22 Nov 2011 13:50:41 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.9

---------------
apt (0.7.25.3ubuntu9.9) lucid-security; urgency=low

  * SECURITY UPDATE: sensitive information disclosure via incorrect
    hostname validation (LP: #868353)
    - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
    - CVE-2011-3634
  * SECURITY UPDATE: Restore apt-ket net-update functionality (LP: #857472)
    - cmdline/apt-key: improve key validation.
 -- Marc Deslauriers <email address hidden> Tue, 22 Nov 2011 13:56:02 -0500

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in apt (Ubuntu Maverick):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers