Bug 520454 (CVE-2009-3490)

Summary: CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: karsten, kreilly, micah, psplicha
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-10 07:14:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 527660, 527661, 527662, 527663, 527664, 527667, 802808    
Bug Blocks:    

Description Tomas Hoger 2009-08-31 14:48:13 UTC 
A method to bypass SSL certificate name vs. host name verification via NUL
('\0') character embedded in X509 certificate's CommonName or subjectAltName
was presented at Black Hat USA 2009:

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike

Similar problem affected wget (from a testing and very quick look at the code, subjectAltNames are not supported, hence only CommonName is a vector).

Upstream bug report:
http://savannah.gnu.org/bugs/?27183 (currently not public)

Contents of upstream bug report, leaked via wget-notify list:
http://addictivecode.org/pipermail/wget-notify/2009-August/001808.html

Upstream fixes:
http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d
http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b
http://hg.addictivecode.org/wget/mainline/rev/1eab157d3be7
Comment 2 Tomas Hoger 2009-09-23 09:01:34 UTC 
wget 1.12 was released including this fix:
  http://permalink.gmane.org/gmane.comp.web.wget.general/8972
Comment 12 errata-xmlrpc 2009-11-03 20:06:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1549 https://rhn.redhat.com/errata/RHSA-2009-1549.html
Comment 13 Fedora Update System 2009-11-17 13:31:17 UTC 
wget-1.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wget-1.12-1.fc11
Comment 14 Fedora Update System 2009-11-17 13:31:22 UTC 
wget-1.12-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wget-1.12-1.fc12
Comment 15 Fedora Update System 2009-11-17 13:31:27 UTC 
wget-1.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/wget-1.12-1.fc10
Comment 16 Fedora Update System 2009-11-18 16:21:11 UTC 
wget-1.12-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/wget-1.12-2.fc12
Comment 17 Fedora Update System 2009-12-03 04:56:10 UTC 
wget-1.12-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-12-03 04:56:29 UTC 
wget-1.12-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-12-03 05:12:03 UTC 
wget-1.12-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.