Ubuntu
freerdp package

Comment 11 for bug 673925

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-12-06:

#11

So, freerdp 0.8.2-2build1 is still not fixed when compiled to use openssl, which is how it is compiled in Ubuntu:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
/* FIXME: do the actual verification */
return True;
}

crypto_nss.c is no better. crypto_polarssl.c is slightly better in that it at least returns False. crypto_gnutls.c is slightly better with:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
        /* FIXME: check more here ... */
        unsigned int verify; /* What is this? */
        return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) &&
                        gnutls_x509_crt_verify(server_cert->cert, &cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS;
}

But this is not good enough (see http://www.ubuntu.com/usn/usn-1283-1/ as an example why). http://www.gnu.org/s/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html gives an example on how to properly verify a certificate (though admittedly, it doesn't do the whole cert chain so more effort would be needed there-- but lack of full chain checking shouldn't block this MIR because it should fail safe in that regard).

So to move this along:
* NAK when compiled against openssl (as it is now)
* NAK when compiled against nss
* NAK when compiled against gnutls, but this is more easily fixable with the above info and if the userspace bits are in place
* ACK if disable SSL support

The gnutls bit alone could easily get a CVE *right now* and the bits for openssl and nss are egregious in production code *if* the code is claiming secure connections (which in looking in remmina, it appears to be). These SSL issues are very important to fix because if the program claims to have secure connections, people will trust that. We've had too many security updates on SSL issues over the years because of improperly implemented certificate verification. As such, we can solve this easily by not claiming SSL support at all, which I think is the easiest way forward. If work is going to be put into fixing the gnutls bits please follow the above example.

As for rdesktop, afaict it doesn't seem to claim support SSL in its manpage or its online documentation and there is nothing in vinagre that exposes this, so there is no expectation of security.

So, freerdp 0.8.2-2build1 is still not fixed when compiled to use openssl, which is how it is compiled in Ubuntu:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
        /* FIXME: do the actual verification */
        return True;
}

crypto_nss.c is no better. crypto_polarssl.c is slightly better in that it at least returns False. crypto_gnutls.c is slightly better with:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
        /* FIXME: check more here ... */
        unsigned int verify;    /* What is this? */
        return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) &&
                        gnutls_x509_crt_verify(server_cert->cert, &cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS;
}

So to move this along:
 * NAK when compiled against openssl (as it is now)
 * NAK when compiled against nss
 * NAK when compiled against gnutls, but this is more easily fixable with the above info and if the userspace bits are in place
 * ACK if disable SSL support

As for rdesktop, afaict it doesn't seem to claim support SSL in its manpage or its online documentation and there is nothing in vinagre that exposes this, so there is no expectation of security.

Ubuntufreerdp package

Comment 11 for bug 673925

Ubuntu
freerdp package