ubuntu-sso-client doesn't validate ssl certificates
Bug #882055 reported by
Marc Deslauriers
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Ubuntu One Client |
Invalid
|
Undecided
|
Unassigned | |||
Ubuntu Single Sign On Client | Status tracked in Trunk | |||||
Stable-1-2 |
Fix Released
|
High
|
Alejandro J. Cura | |||
Stable-1-4 |
Fix Released
|
High
|
Alejandro J. Cura | |||
Stable-3-0 |
Fix Released
|
Undecided
|
Unassigned | |||
Stable-4-0 |
Fix Released
|
Undecided
|
Unassigned | |||
Trunk |
Fix Released
|
Undecided
|
Unassigned | |||
ubuntu-sso-client (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | |||
Maverick |
Won't Fix
|
Medium
|
Marc Deslauriers | |||
Natty |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Oneiric |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Precise |
Fix Released
|
Medium
|
Unassigned |
Bug Description
ubuntu-sso-client uses urllib2 to perform certain operations on https web sites. urllib2 does not do any certificate validation, and should only be used if certificate validation is being done by the application itself.
This results in a trivial man in the middle attack that can obtain or alter sensitive information.
Related branches
lp:~dobey/ubuntu-sso-client/ssl-strict
- Alejandro J. Cura (community): Approve
- Roberto Alsina (community): Approve
-
Diff: 65 lines (+25/-0)2 files modifiedubuntu_sso/gtk/gui.py (+18/-0)
ubuntu_sso/gtk/tests/test_gui.py (+7/-0)
lp:~alecu/ubuntu-sso-client/use-pycurl-1-4
- Manuel de la Peña (community): Approve
- Roberto Alsina (community): Approve
-
Diff: 571 lines (+458/-12)5 files modifiedubuntu_sso/account.py (+2/-3)
ubuntu_sso/credentials.py (+4/-4)
ubuntu_sso/tests/test_credentials.py (+5/-5)
ubuntu_sso/utils/curllib.py (+147/-0)
ubuntu_sso/utils/tests/test_curllib.py (+300/-0)
lp:~alecu/ubuntu-sso-client/use-pycurl-1-2
- dobey (community): Approve
- Manuel de la Peña (community): Approve
-
Diff: 571 lines (+458/-12)5 files modifiedubuntu_sso/account.py (+2/-3)
ubuntu_sso/credentials.py (+4/-4)
ubuntu_sso/tests/test_credentials.py (+5/-5)
ubuntu_sso/utils/curllib.py (+147/-0)
ubuntu_sso/utils/tests/test_curllib.py (+300/-0)
CVE References
Changed in ubuntuone-client: | |
status: | New → Invalid |
Changed in ubuntu-sso-client (Ubuntu): | |
status: | New → Confirmed |
Changed in ubuntu-sso-client (Ubuntu Precise): | |
status: | Confirmed → Invalid |
status: | Invalid → Fix Released |
visibility: | private → public |
tags: | added: patch |
tags: |
added: verification-done removed: verification-needed |
To post a comment you must log in.
in the ubuntu_ sso/gtk/ gui.py file, it also uses webkit without setting the "ssl-strict" and "ssl-ca-file" properties, so it's not doing certificate checking in the webkit parts either.