ubuntuone-client doesn't validate ssl certificates
Bug #882062 reported by
Marc Deslauriers
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Ubuntu One Client | Status tracked in Trunk | |||||
Stable-3-0 |
Fix Released
|
Undecided
|
Unassigned | |||
Stable-4-0 |
Fix Released
|
Undecided
|
Unassigned | |||
Trunk |
Fix Released
|
High
|
Unassigned | |||
Ubuntu One storage protocol | Status tracked in Trunk | |||||
Stable-1-2 |
Won't Fix
|
Undecided
|
Unassigned | |||
Stable-1-6 |
Won't Fix
|
Undecided
|
Unassigned | |||
Stable-2-0 |
Won't Fix
|
Undecided
|
Unassigned | |||
Stable-3-0 |
Fix Released
|
High
|
Alejandro J. Cura | |||
Stable-4-0 |
Fix Released
|
High
|
dobey | |||
Trunk |
Fix Released
|
Undecided
|
dobey | |||
ubuntuone-client (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | |||
Lucid |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Maverick |
Won't Fix
|
Medium
|
Marc Deslauriers | |||
Natty |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Oneiric |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Precise |
Fix Released
|
Medium
|
Marc Deslauriers | |||
Quantal |
Fix Released
|
Medium
|
Unassigned | |||
ubuntuone-storage-protocol (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | |||
Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | |||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | |||
Natty |
Fix Released
|
Undecided
|
Marc Deslauriers | |||
Oneiric |
Fix Released
|
Undecided
|
Marc Deslauriers | |||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | |||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
ubuntuone-client uses urllib2 to perform certain operations on https web sites. urllib2 does not do any certificate validation, and should only be used if certificate validation is being done by the application itself.
This results in a trivial man in the middle attack that can obtain or alter sensitive information.
Related branches
lp:~alecu/ubuntuone-storage-protocol/validate-ssl-cert
Rejected
for merging
into
lp:ubuntuone-storage-protocol/stable-3-0
- dobey (community): Needs Fixing
-
Diff: 252 lines (+218/-11)2 files modifiedtests/test_context.py (+177/-0)
ubuntuone/storageprotocol/context.py (+41/-11)
Superseded
for merging
into
lp:ubuntuone-storage-protocol
- Ubuntu One hackers: Pending requested
-
Diff: 86 lines (+45/-11) (has conflicts)2 files modifiedsetup.py (+4/-0)
ubuntuone/storageprotocol/context.py (+41/-11)
lp:~alecu/ubuntuone-client/validate-ssl-cert-3-0
- dobey (community): Approve
-
Diff: 25 lines (+2/-2)2 files modifieddata/syncdaemon.conf (+1/-1)
ubuntuone/syncdaemon/action_queue.py (+1/-1)
lp:~dobey/ubuntuone-storage-protocol/validate-ssl-cert
- Alejandro J. Cura (community): Approve
- Diego Sarmentero (community): Approve
-
Diff: 262 lines (+227/-12)2 files modifiedtests/test_context.py (+182/-0)
ubuntuone/storageprotocol/context.py (+45/-12)
lp:~dobey/ubuntuone-storage-protocol/validate-ssl-cert-4-0
- Diego Sarmentero (community): Approve
-
Diff: 262 lines (+227/-12)2 files modifiedtests/test_context.py (+182/-0)
ubuntuone/storageprotocol/context.py (+45/-12)
lp:~dobey/ubuntuone-client/validate-ssl-cert
- dobey (community): Approve
-
Diff: 25 lines (+2/-2)2 files modifieddata/syncdaemon.conf (+1/-1)
ubuntuone/syncdaemon/action_queue.py (+1/-1)
lp:~alecu/ubuntuone-client/validate-ssl-cert
- dobey (community): Approve
- Roberto Alsina (community): Approve
-
Diff: 156 lines (+78/-22)2 files modifiedtests/syncdaemon/test_action_queue.py (+67/-12)
ubuntuone/syncdaemon/action_queue.py (+11/-10)
lp:~alecu/ubuntuone-storage-protocol/include-valicert
- dobey (community): Approve
- Roberto Alsina (community): Approve
-
Diff: 49 lines (+22/-1)3 files modifieddata/ValiCert_Class_2_VA.pem (+18/-0)
setup.py (+1/-0)
ubuntuone/storageprotocol/context.py (+3/-1)
lp:~alecu/ubuntuone-windows-installer/include-valicert
- dobey (community): Approve
- Roberto Alsina (community): Approve
-
Diff: 29 lines (+8/-0)2 files modifiedscripts/setup.py (+4/-0)
scripts/ubuntuone.xml (+4/-0)
lp:~alecu/ubuntuone-client/txweb-ssl-3-0
- Roberto Alsina (community): Approve
- dobey (community): Approve
-
Diff: 156 lines (+78/-22)2 files modifiedtests/syncdaemon/test_action_queue.py (+67/-12)
ubuntuone/syncdaemon/action_queue.py (+11/-10)
lp:~dobey/ubuntuone-storage-protocol/update-3-0
- Roberto Alsina (community): Approve
-
Diff: 314 lines (+263/-12)4 files modifieddata/ValiCert_Class_2_VA.pem (+18/-0)
setup.py (+1/-0)
tests/test_context.py (+197/-0)
ubuntuone/storageprotocol/context.py (+47/-12)
CVE References
Changed in ubuntuone-client (Ubuntu): | |
status: | New → Confirmed |
Changed in ubuntuone-storage-protocol (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in ubuntuone-storage-protocol (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → Confirmed |
Changed in ubuntuone-storage-protocol (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → Confirmed |
Changed in ubuntuone-storage-protocol (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → Confirmed |
Changed in ubuntuone-storage-protocol (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → Confirmed |
Changed in ubuntuone-client (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in ubuntuone-storage-protocol (Ubuntu Quantal): | |
status: | New → Confirmed |
visibility: | private → public |
Changed in ubuntuone-storage-protocol: | |
status: | New → Fix Committed |
Changed in ubuntuone-client: | |
importance: | Undecided → High |
status: | New → Triaged |
To post a comment you must log in.
This is a patch for lp:ubuntuone-client/stable-2-0 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-4