[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
This bug was fixed in the package busybox - 1:1.30.1-4ubuntu6.1 --- busybox (1:1.30.1-4ubuntu6.1) focal; urgency=medium * Enable TLS verification with OpenSSL. LP: #1879533 * Enable TLS in initramfs flavour of wget applet, requires openssl. LP: #1879525 -- Dimitri John Ledkov Tue, 19 May 2020 16:16:23 +0100 ** Changed in: busybox (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: Fix Released Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
Build focal subiquity image with proposed enabled and busybox version 1:1.30.1-4ubuntu6.1 at https://launchpad.net/~xnox/+livefs/ubuntu/focal/any/+build/221093 downloaded just the initrd & vmlinuz. Waited for it to fail to boot, and sourced /scripts/functions and executed configure_networking. Downloaded https://start.ubuntu.com successfully Failed to download https://untrusted-root.badssl.com Verification successful. ** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: Fix Committed Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
Hello Dimitri, or anyone else affected, Accepted busybox into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-4ubuntu6.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: busybox (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: Fix Committed Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
Ok, xnox cleared out the situation for me. This is not needed in -security. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
Seeing that this is a fix for a documented CVE, do we also want to upload this to -security? Should we build this first in a security enabled PPA? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
This bug was fixed in the package busybox - 1:1.30.1-4ubuntu8 --- busybox (1:1.30.1-4ubuntu8) groovy; urgency=medium * Enable TLS verification with OpenSSL. LP: #1879533 busybox (1:1.30.1-4ubuntu7) groovy; urgency=medium * Enable TLS in initramfs flavour of wget applet, requires openssl. LP: #1879525 -- Dimitri John Ledkov Wed, 20 May 2020 14:44:54 +0100 ** Changed in: busybox (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Released Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Released Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
** Tags added: id-5ec405c08ffc87364ab8cf50 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Committed Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Committed Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Committed Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Committed Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
** Information type changed from Private Security to Public Security ** Changed in: busybox (Ubuntu Groovy) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/1879533 Title: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it Status in busybox package in Ubuntu: Fix Committed Status in busybox source package in Focal: New Status in busybox source package in Groovy: Fix Committed Bug description: [Impact] * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed. * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed. * Also TLS verification is not performed under OPENSSL case. * When performing https requests, it works openssl s_client and communicates with it to perform https download * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored * There is no warning that TLS verification was not performed [Test Case] * Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y * Test case: /bin/busybox wget https://untrusted-root.badssl.com/ * Expected: download failed, or download suceeds with warning printed that verification is disabled * Observed: download success without a warning that verification is disabled. $ /bin/busybox wget https://untrusted-root.badssl.com/ Connecting to untrusted-root.badssl.com (104.154.89.105:443) index.html 100% |*| 600 0:00:00 ETA $ cat index.html | grep certificate The certificate for this site is signed using an untrusted root. [Regression Potential] * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored. [Other Info] * Proposed fix pass `-verify_return_error` to s_client, unless `--no-check- certificate` is specified To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
