So, freerdp 0.8.2-2build1 is still not fixed when compiled to use openssl,
which is how it is compiled in Ubuntu:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
/* FIXME: do the actual verification */
return True;
}
crypto_nss.c is no better. crypto_polarssl.c is slightly better in that it at
least returns False. crypto_gnutls.c is slightly better with:
crypto_cert_verify(CryptoCert server_cert, CryptoCert cacert)
{
/* FIXME: check more here ... */
unsigned int verify; /* What is this? */
return gnutls_x509_crt_check_issuer(server_cert->cert,cacert->cert) &&
gnutls_x509_crt_verify(server_cert->cert,
&cacert->cert, 1, 0, &verify) == GNUTLS_E_SUCCESS;
}
But this is not good enough (see http://www.ubuntu.com/usn/usn-1283-1/
as an example why). http://www.gnu.org/s/gnutls/manual/html_node/Simple-
client-example-with-X_002e509-certificate-support.html gives an example
on how to properly verify a certificate (though admittedly, it doesn't
do the whole cert chain so more effort would be needed there-- but lack
of full chain checking shouldn't block this MIR because it should fail
safe in that regard).
So to move this along:
* NAK when compiled against openssl (as it is now)
* NAK when compiled against nss
* NAK when compiled against gnutls, but this is more easily fixable with the
above info and if the userspace bits are in place
* ACK if disable SSL support
The gnutls bit alone could easily get a CVE *right now* and the bits for
openssl and nss are egregious in production code *if* the code is
claiming secure connections (which in looking in remmina, it appears to
be). These SSL issues are very important to fix because if the program
claims to have secure connections, people will trust that. We've had too
many security updates on SSL issues over the years because of improperly
implemented certificate verification. As such, we can solve this easily
by not claiming SSL support at all, which I think is the easiest way
forward. If work is going to be put into fixing the gnutls bits please
follow the above example.
As for rdesktop, afaict it doesn't seem to claim support SSL in its
manpage or its online documentation and there is nothing in vinagre that
exposes this, so there is no expectation of security.
** Changed in: freerdp (Ubuntu Precise)
Status: Confirmed => In Progress
** Changed in: freerdp (Ubuntu Precise)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/673925
Title:
[MIR] freerdp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp/+bug/673925/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
