[Bug 868353] [NEW] in apt-https Verify-Peer does not fail a connection on error

Launchpad Bug Tracker Wed, 19 Oct 2011 07:24:35 -0700

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Marc Deslauriers 
(mdeslaur):


Description:    Ubuntu 10.04.3 LTS
Release:        10.04
Package:      apt-transport-https (0.7.25.3ubuntu9.7)

I have enabled Verify-Peer in the https options for apt. The debug reads
as follows:

Trying 192.168.234.53...  connected
  Connected to 192.168.234.53 (192.168.234.53) port 443 (#0)
 found 149 certificates in /etc/ssl/certs/ca-certificates.crt
 SSL re-using session ID
        server certificate verification OK
        common name: 127.0.0.1 (does not match '192.168.234.53')
        server certificate expiration date OK
        server certificate activation date OK
        certificate public key: RSA
        certificate version: #3
        subject: CN=127.0.0.1
        start date: Fri, 30 Sep 2011 14:55:55 GMT
        expire date: Sun, 29 Sep 2013 14:55:55 GMT

When checking the source I can see, that the following code is executed:

   // ... and hostname against cert CN or subjectAltName
   int default_verify = 2;
   bool verify = _config->FindB("Acquire::https::Verify-Host",true);
   knob = "Acquire::https::"+remotehost+"::Verify-Host";
   verify = _config->FindB(knob.c_str(),verify);
   if (!verify)
      default_verify = 0;
   curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);


According to documentation the CURLOPT_SSL_VERIFYHOST accepts the values 0, 1 
and 2. The value 1 is not recommended, as it flags the non-matching hostname, 
but does not fail the connection. 
The variable "default_verify" is set to 2 or 0 in the above code, but is not 
used. Instead the boolean variable "verify" is used in the call to set 
CURLOPT_SSL_VERIFYHOST. 

Probably the default_verify should be used in this call.

As the connection is not failed (but only logged), this might result in
an connection to an unwanted host, thus the security vulnerability.

** Affects: apt (Ubuntu)
     Importance: High
         Status: Fix Released

** Affects: apt (Ubuntu Lucid)
     Importance: High
         Status: In Progress

** Affects: apt (Ubuntu Maverick)
     Importance: High
         Status: In Progress

-- 
in apt-https Verify-Peer does not fail a connection on error
https://bugs.launchpad.net/bugs/868353
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 868353] [NEW] in apt-https Verify-Peer does not fail a connection on error

Reply via email to