Ubuntu
tnftp package

incomplete SSL certificate verify

Bug #1677506 reported by Ruan Linqi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tnftp (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi developers:
    We made a large scale security static analysis on several open source projects, and found some mistakes in tnftp-20130505. In the @src/ssl.c:555:
    void * fetch_start_ssl(int sock)
{
 [...]
 ctx = SSL_CTX_new(SSLv23_client_method());
 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 ssl = SSL_new(ctx);
 if (ssl == NULL){
  fprintf(ttyout, "SSL context creation failed\n");
  SSL_CTX_free(ctx);
  return NULL;
 }
 SSL_set_fd(ssl, sock);
 while ((ret = SSL_connect(ssl)) == -1)
        [...]
 cert = SSL_get_peer_certificate(ssl);
 [...]
}

  We find that you use SSL_get_peer_certificate() to get the cert and verify some properties of it.But it still can lead to MITM attack. To guarantee the security,we recommand you add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make sure validation succeeds.

Ruan Linqi (shoppingruan)
information type: Private Security → Public
Revision history for this message
Bastian Germann (bastian-germann) wrote :

tnftp 20230409's ChangeLog has "Support SSL certificate validation by default."

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.