2016-03-12 00:06:07 |
Matthew Hall |
bug |
|
|
added bug |
2016-03-12 00:06:07 |
Matthew Hall |
attachment added |
|
official libcurl patch from Daniel Stenberg https://bugs.launchpad.net/bugs/1556330/+attachment/4596446/+files/libcurl_broken_pkcs12.patch |
|
2016-03-12 00:23:07 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2016-03-12 00:23:15 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2016-03-12 00:41:00 |
Mathew Hodson |
nominated for series |
|
Ubuntu Trusty |
|
2016-03-12 00:44:09 |
Mathew Hodson |
curl (Ubuntu): importance |
Undecided |
Medium |
|
2016-03-12 00:44:09 |
Mathew Hodson |
curl (Ubuntu): status |
New |
Fix Released |
|
2016-03-12 00:44:26 |
Mathew Hodson |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2016-03-12 00:49:46 |
Mathew Hodson |
description |
The following bug from upstream libcurl should be fixed in Ubuntu Stable and Ubuntu LTS trains:
https://sourceforge.net/p/curl/bugs/1371/
The bug fix consists of one missing break statement at the end of a case in a switch statement.
I personally patched the bug using source code release curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it does indeed fix the bug and all of the package's tests still pass afterwards.
Impact: The bug makes it impossible to use PKCS#12 secure storage of client certificates and private keys with any affected Ubuntu releases. The fix is one line fixing a broken switch statement and was already tested against Ubuntu 14.04 LTS with a rebuilt curl package.
Testing: The bug can be reproduced using the following libcurl parameters (even via CLI, pycurl, etc.).
CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed
Basically, just use a PKCS#12 format client certificate and private key against some certificate protected web server.
Regression Potential: If it could possibly break anything, which is extraordinarily unlikely, it would break one of the three client certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already broken due to the bug. Client certificates of all three types could be checked to prevent this. |
[Impact]
The bug makes it impossible to use PKCS#12 secure storage of client certificates and private keys with any affected Ubuntu releases. The fix is one line fixing a broken switch statement and was already tested against Ubuntu 14.04 LTS with a rebuilt curl package.
This was fixed in upstream libcurl in the following bug:
https://sourceforge.net/p/curl/bugs/1371/
The bug fix consists of one missing break statement at the end of a case in a switch statement.
I personally patched the bug using source code release curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it does indeed fix the bug and all of the package's tests still pass afterwards.
[Test Case]
The bug can be reproduced using the following libcurl parameters (even via CLI, pycurl, etc.).
CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed
Basically, just use a PKCS#12 format client certificate and private key against some certificate protected web server.
[Regression Potential]
If it could possibly break anything, which is extraordinarily unlikely, it would break one of the three client certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already broken due to the bug. Client certificates of all three types could be checked to prevent this. |
|
2016-03-12 00:49:54 |
Mathew Hodson |
tags |
patch |
patch trusty |
|
2016-03-12 01:35:57 |
C de-Avillez |
curl (Ubuntu): milestone |
|
trusty-updates |
|
2016-03-12 01:36:04 |
C de-Avillez |
curl (Ubuntu): milestone |
trusty-updates |
|
|
2016-03-12 01:36:20 |
C de-Avillez |
bug task added |
|
curl (Ubuntu Trusty) |
|
2016-03-12 01:40:57 |
Brian Murray |
curl (Ubuntu Trusty): status |
New |
Triaged |
|
2016-03-12 01:40:59 |
Brian Murray |
curl (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2016-03-12 16:26:11 |
Gianfranco Costamagna |
attachment added |
|
debdiff https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1556330/+attachment/4596928/+files/debdiff |
|
2016-03-14 02:52:33 |
Mathew Hodson |
tags |
patch trusty |
bitesize patch trusty |
|
2016-04-12 13:15:16 |
Marc Deslauriers |
curl (Ubuntu Trusty): status |
Triaged |
In Progress |
|
2016-04-12 13:15:26 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-04-12 13:16:25 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2016-04-20 13:38:02 |
Chris J Arges |
curl (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2016-04-20 13:38:04 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2016-04-20 13:38:07 |
Chris J Arges |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2016-04-20 13:38:13 |
Chris J Arges |
tags |
bitesize patch trusty |
bitesize patch trusty verification-needed |
|
2016-07-16 01:15:00 |
Matthew Hall |
tags |
bitesize patch trusty verification-needed |
bitesize patch trusty verification-done |
|
2016-07-19 19:36:36 |
Launchpad Janitor |
curl (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2016-07-19 19:36:43 |
Adam Conrad |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|