Ubuntu
r-cran-rsclient package

no SSL certificate verify

Bug #1677493 reported by Ruan Linqi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
r-cran-rsclient (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi developers:
    We made a large scale security static analysis on several open source projects, and found some mistakes in r-cran-rsclient_0.7-3. In the @src/cli.c:146:
    static int tls_upgrade(rsconn_t *c) {
    SSL *ssl;
    SSL_CTX *ctx;
    if (first_tls)
 init_tls();
    ctx = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
    c->tls = ssl = SSL_new(ctx);
    c->send = tls_send;
    c->recv = tls_recv;
    SSL_set_fd(ssl, c->s);
    /* SSL_CTX_free(ctx) // check whether this is safe - it should be since ssl has the reference ... */
    return SSL_connect(ssl);
  }

  When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee the security.

Ruan Linqi (shoppingruan)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.