Quantal software-properties incorrectly validating ssl certs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
software-properties (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre |
Bug Description
The python3 migration of software-properties causes it to incorrectly validate ssl certificates, leading to a MITM being able to compromise a remote system. It basically reverts the fix for LP: 915210.
from softwarepropert
<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
try:
lp_page = urllib2.
except TypeError:
lp_page = urllib2.
When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.
Related branches
- Marc Deslauriers: Approve
-
Diff: 141 lines (+57/-16)3 files modifiedadd-apt-repository (+4/-3)
debian/changelog (+8/-1)
softwareproperties/ppa.py (+45/-12)
Changed in software-properties (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
CVE-2011-4407 was fixed by migrating to pycurl:
http:// bazaar. launchpad. net/~ubuntu- core-dev/ software- properties/ main/revision/ 738
The python3 port migrated it back to urllib, which is vulnerable:
http:// bazaar. launchpad. net/~ubuntu- core-dev/ software- properties/ main/revision/ 759