Bug 881399 (CVE-2012-6709)

Summary: CVE-2012-6709 elinks/links: does not properly verify SSL certificates
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cheimes, kdudka, lkundrak, nkinder, ovasik, scorneli, security-response-team, tru, yjog
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121128,reported=20121128,source=debian,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-all/links=affected,epel-6/links=affected,fedora-all/elinks=affected,rhel-5/elinks=wontfix,rhel-6/elinks=wontfix,rhel-7/elinks=wontfix
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-20 10:30:57 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 881409, 881410, 881411, 910815, 1533165, 1533166    
Bug Blocks: 881405    
Attachments:
Description Flags
[PATCH] openssl: use the OpenSSL-provided host name check
none
[PATCH v2] openssl: use the OpenSSL-provided host name check kdudka: review? (cheimes)

Description Vincent Danen 2012-11-28 15:34:34 EST
A Debian bug report [1] indicated that Links does not properly verify SSL certificates.  If you visit a web site with an expired SSL certificate, Links will only display "SSL error" without any indication as to what the error was.  This, in and of itself, is not a flaw however when testing, I found that when you go to a site with a valid SSL certificate, but for a different hostname (for example, if you go to https://alias.foo.com which might be a CNAME or a proxy for https://foo.com) Links will connect without any errors or warnings.  Doing the same in a browser like Google Chrome, however, reports "You attempted to reach alias.foo.com, but instead you actually reached a server identifying itself as foo.com." and allows you to either proceed or not, before loading the site.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658
Comment 1 Vincent Danen 2012-11-28 15:42:13 EST
Elinks suffers from the same thing, and I suspect they have similar code with regards to SSL handling as Elinks originated from Links.
Comment 2 Vincent Danen 2012-11-28 15:55:41 EST
Created elinks tracking bugs for this issue

Affects: fedora-all [bug 881411]
Comment 3 Vincent Danen 2012-11-28 15:55:44 EST
Created links tracking bugs for this issue

Affects: fedora-all [bug 881409]
Affects: epel-6 [bug 881410]
Comment 10 Fedora Update System 2013-10-13 15:51:37 EDT
elinks-0.12-0.36.pre6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-10-14 03:03:00 EDT
elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-10-14 03:08:35 EDT
elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-10-14 13:12:26 EDT
elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-10-14 13:20:33 EDT
elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Murray McAllister 2014-03-07 00:35:57 EST
Debian report about elinks not checking the hostname matches the certificate's Common Name or subjectAltName:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740981

Seems to be fixed by the patch in bug 881411
Comment 16 Vincent Danen 2014-05-20 08:34:08 EDT
Note that the patch used in Fedora seems to be broken, at least in Fedora 20 as per https://bugzilla.redhat.com/show_bug.cgi?id=881411#c22.  Another bug #1099423 has more details there.
Comment 17 Kamil Dudka 2015-03-30 10:42:45 EDT
I have switched ELinks back to OpenSSL because nss_compat_ossl is no longer maintained.

Here is the backported upstream patch I applied to fix this vulnerability:

http://pkgs.fedoraproject.org/cgit/elinks.git/tree/elinks-0.12pre6-ssl-hostname.patch?id=6e8e7242

Red Hat Product Security, could you please review the patch?
Comment 22 Kamil Dudka 2015-06-05 13:11:15 EDT
Created attachment 1035386 [details]
[PATCH] openssl: use the OpenSSL-provided host name check

Hi Christian,

thanks a lot for the suggestion!  I have implemented it in the attached patch for ELinks.  Would you be willing to do a review of the patch?

It applies on the master branch of the upstream git repository:

http://repo.or.cz/w/elinks.git
Comment 23 Christian Heimes 2015-06-09 09:42:02 EDT
Hi Kamil,

I think your patch has at least one resource leak. You have to call X509_VERIFY_PARAM_free(vpm).

Christian
Comment 24 Kamil Dudka 2015-06-10 08:46:31 EDT
Created attachment 1037270 [details]
[PATCH v2] openssl: use the OpenSSL-provided host name check

(In reply to Christian Heimes from comment #23)
> I think your patch has at least one resource leak. You have to call
> X509_VERIFY_PARAM_free(vpm).

Good catch!  I mistakenly thought that SSL_set1_param() would take ownership of the allocated object.  Could you please have a look at the improved version of that patch?
Comment 25 Kamil Dudka 2015-06-30 06:39:07 EDT
(In reply to Kamil Dudka from comment #24)
> Created attachment 1037270 [details]
> [PATCH v2] openssl: use the OpenSSL-provided host name check

proposed upstream:

http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html
Comment 26 Kamil Dudka 2015-07-07 07:50:30 EDT
(In reply to Kamil Dudka from comment #25)
> (In reply to Kamil Dudka from comment #24)
> > Created attachment 1037270 [details]
> > [PATCH v2] openssl: use the OpenSSL-provided host name check
> 
> proposed upstream:
> 
> http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html

Patch included in elinks-0.12-0.47.pre6.fc23:

http://pkgs.fedoraproject.org/cgit/elinks.git/commit/?id=f94b7750
Comment 43 Stefan Cornelius 2018-03-20 10:31:12 EDT
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.