[CVE-2013-7449] xchat and derivatives don't validate ssl hostnames

Bug #1565000 reported by Marc Deslauriers on 2016-04-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hexchat (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
xchat (Ubuntu)
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
xchat-gnome (Ubuntu)
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Wily
Undecided
Marc Deslauriers
Xenial
Undecided
Marc Deslauriers

Bug Description

http://www.openwall.com/lists/oss-security/2015/01/29/23

XChat did not verify that the server hostname matched the domain name in
the subject's Common Name (CN) or subjectAltName field in X.509
certificates. This could allow a man-in-the-middle attacker to spoof an
SSL server if they had a certificate that was valid for any domain name.

Also applied to hexchat and xchat-gnome.

Marc Deslauriers (mdeslaur) wrote :
Changed in xchat (Ubuntu Xenial):
status: New → Invalid
Changed in xchat-gnome (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in hexchat (Ubuntu Trusty):
status: New → Confirmed
Changed in hexchat (Ubuntu Precise):
status: New → Invalid
Changed in hexchat (Ubuntu Wily):
status: New → Fix Released
Changed in hexchat (Ubuntu Xenial):
status: New → Fix Released
Changed in xchat (Ubuntu Precise):
status: New → Confirmed
Changed in xchat (Ubuntu Trusty):
status: New → Confirmed
Changed in xchat (Ubuntu Wily):
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
TingPing (tingping) wrote :

Debian removed xchat from their repos and xchat-gnome has been dead for equally long so they should both be removed IMO.

Marc Deslauriers (mdeslaur) wrote :

I maintain xchat-gnome in Ubuntu. It's the only one that uses gtk3, and is in the main repo.

xchat has already been removed from Xenial.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu9

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu9) xenial; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 12:39:36 -0400

Changed in xchat-gnome (Ubuntu Xenial):
status: Confirmed → Fix Released
Mattia Rizzolo (mapreri) wrote :

Marc, could you also take care of patching hexchat in trusty while you're at it?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hexchat - 2.9.6.1-2ubuntu0.1

---------------
hexchat (2.9.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 19:53:41 -0400

Changed in hexchat (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2

---------------
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:43:49 -0400

Changed in xchat-gnome (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu6.2

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu6.2) wily-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:32:30 -0400

Changed in xchat-gnome (Ubuntu Wily):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20110821.e2a400-0.2ubuntu4.3

---------------
xchat-gnome (1:0.30.0~git20110821.e2a400-0.2ubuntu4.3) precise-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:44:25 -0400

Changed in xchat-gnome (Ubuntu Precise):
status: Confirmed → Fix Released
no longer affects: hexchat (Ubuntu Precise)
no longer affects: xchat (Ubuntu Xenial)
no longer affects: xchat (Ubuntu)
summary: - xchat-gnome doesn't validate ssl hostnames
+ xchat and derivatives don't validate ssl hostnames
Mattia Rizzolo (mapreri) on 2016-04-07
summary: - xchat and derivatives don't validate ssl hostnames
+ [CVE-2013-7449] xchat and derivatives don't validate ssl hostnames
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.