Quantal software-properties incorrectly validating ssl certs

Bug #1036839 reported by Marc Deslauriers on 2012-08-14
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
High
Mathieu Trudel-Lapierre

Bug Description

The python3 migration of software-properties causes it to incorrectly validate ssl certificates, leading to a MITM being able to compromise a remote system. It basically reverts the fix for LP: 915210.

from softwareproperties/ppa.py:

<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
    try:
        lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
    except TypeError:
        lp_page = urllib2.urlopen(request)

When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.

Related branches

CVE References

Marc Deslauriers (mdeslaur) wrote :

CVE-2011-4407 was fixed by migrating to pycurl:

http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/revision/738

The python3 port migrated it back to urllib, which is vulnerable:

http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/revision/759

tags: added: rls-q-incoming
Marc Deslauriers (mdeslaur) wrote :

This new issue has been assigned CVE-2012-0955

Changed in software-properties (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package software-properties - 0.92

---------------
software-properties (0.92) quantal; urgency=low

  [ Robert Roth ]
  * lp:~evfool/software-properties/lp1030970 :
    - Fixed the source code checkbox and the submit statistics
      checkbox labels to be left-aligned instead of centered.
  * lp:~evfool/software-properties/lp997371:
    - support enabling a component via "apt-add-repository componentname"
      (e.g. "apt-add-repository multiverse") LP: #997371

  [ Mathieu Trudel-Lapierre ]
  * Reinstate pycurl to use for getting PPA information from Launchpad, since
    it can actually verify SSL certificates with python2. Also set
    LAUNCHPAD_PPA_CERT so that it's a valid path to the system CA certificates
    bundle to use for urllib and pycurl. (LP: #1036839)
    - CVE-2012-0955

  [ Gabor Kelemen ]
  * lp:~kelemeng/software-properties/bug1035544:
    - fix a bunch of missing i18n strings (LP: #1035544)

  [ Michael Vogt ]
  * lp:~mvo/software-properties/remove-popcon:
    - remove the "statistics" page as this is no longer used
      (LP: #1025436)
 -- Michael Vogt <email address hidden> Mon, 27 Aug 2012 09:56:47 +0200

Changed in software-properties (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers