checkbox fails to verify ssl validity in data exchange with launchpad.net
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Checkbox |
Fix Released
|
High
|
Marc Tardif | ||
checkbox (Ubuntu) |
Fix Released
|
High
|
Marc Tardif | ||
Maverick |
Won't Fix
|
High
|
Marc Tardif |
Bug Description
Binary package hint: checkbox
Checkbox collects personal and private system data and sends it to launchpad.net. However, it fails to verify that the ssl certificate for launchpad.net is valid.
Here is the relevant code.
plugins/
httplib.
However, If the user is using a https proxy(really unlikely), then the code (connection = ProxyHTTPSConne
class ProxyHTTPSConne
default_port = httplib.HTTPS_PORT
def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None):
def connect(self):
self.sock = _ssl_wrap_
So it would use _ssl_wrap_socket
which is defined at the top as
# Build the appropriate socket wrapper for ssl
try:
# Python 2.6 introduced a better ssl package
import ssl
_ssl_
except ImportError:
# Python versions prior to 2.6 don't have ssl and ssl.wrap_socket instead
# they use httplib.FakeSocket
def _ssl_wrap_
ssl_sock = socket.ssl(sock, key_file, cert_file)
return httplib.
However, as the code has connection = ProxyHTTPSConne
You can test this out by editing /etc/hosts and pointing launchpad.net to another ip (which has an https server running) and viewing the data exchange in wireshark.
Related branches
- Marc Deslauriers (community): Approve
- Marc Tardif (community): Needs Information
-
Diff: 56 lines (+27/-1)2 files modifiedcheckbox/lib/transport.py (+26/-1)
debian/changelog (+1/-0)
- Daniel Holbach (community): Needs Information
-
Diff: 8336 lines (+2048/-1194)32 files modifiedcheckbox/job.py (+9/-0)
checkbox/lib/transport.py (+26/-1)
checkbox/parsers/udev.py (+16/-4)
checkbox/report.py (+39/-12)
checkbox/tests/report.py (+1/-1)
checkbox/variables.py (+1/-1)
checkbox_gtk/gtk_interface.py (+6/-5)
checkbox_gtk/hyper_text_view.py (+3/-1)
data/whitelists/default.whitelist (+1/-0)
debian/changelog (+27/-0)
debian/control (+2/-2)
debian/po/it.po (+17/-9)
jobs/disk.txt.in (+1/-1)
jobs/info.txt.in (+9/-0)
jobs/mediacard.txt.in (+1/-1)
jobs/memory.txt.in (+2/-2)
jobs/monitor.txt.in (+1/-1)
jobs/suspend.txt.in (+2/-2)
plugins/intro_prompt.py (+2/-4)
plugins/jobs_prompt.py (+5/-0)
plugins/launchpad_prompt.py (+2/-2)
plugins/launchpad_report.py (+25/-18)
plugins/recover_prompt.py (+1/-2)
plugins/report_prompt.py (+7/-0)
plugins/suites_prompt.py (+2/-3)
po/es.po (+91/-92)
po/hu.po (+230/-209)
po/it.po (+588/-363)
po/zh_CN.po (+250/-233)
po/zh_TW.po (+147/-224)
report/hardware-1_0.rng (+533/-0)
scripts/gconf_resource (+1/-1)
security vulnerability: | yes → no |
visibility: | private → public |
security vulnerability: | no → yes |
Changed in checkbox (Ubuntu): | |
milestone: | none → ubuntu-10.10-beta |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in checkbox (Ubuntu Maverick): | |
milestone: | ubuntu-10.10-beta → ubuntu-10.10 |
Changed in checkbox (Ubuntu Maverick): | |
milestone: | ubuntu-10.10 → maverick-updates |
Changed in checkbox: | |
milestone: | 0.12.5 → 0.12.6 |
Changed in checkbox: | |
status: | Triaged → In Progress |
assignee: | Canonical Hardware Certification (canonical-hw-cert) → Marc Tardif (cr3) |
Changed in checkbox: | |
status: | In Progress → Fix Committed |
Changed in checkbox: | |
status: | Fix Committed → Fix Released |
Marc, can you look at this issue? Thanks.