Bug 881399 (CVE-2012-6709)
Summary: | CVE-2012-6709 elinks/links: does not properly verify SSL certificates | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | carnil, cheimes, kdudka, lkundrak, nkinder, ovasik, pasteur, scorneli, security-response-team, yjog | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-03-20 14:30:57 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 881409, 881410, 881411, 910815, 1533165, 1533166 | ||||||||
Bug Blocks: | 881405 | ||||||||
Attachments: |
|
Description
Vincent Danen
2012-11-28 20:34:34 UTC
Elinks suffers from the same thing, and I suspect they have similar code with regards to SSL handling as Elinks originated from Links. Created elinks tracking bugs for this issue Affects: fedora-all [bug 881411] Created links tracking bugs for this issue Affects: fedora-all [bug 881409] Affects: epel-6 [bug 881410] elinks-0.12-0.36.pre6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Debian report about elinks not checking the hostname matches the certificate's Common Name or subjectAltName: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740981 Seems to be fixed by the patch in bug 881411 Note that the patch used in Fedora seems to be broken, at least in Fedora 20 as per https://bugzilla.redhat.com/show_bug.cgi?id=881411#c22. Another bug #1099423 has more details there. I have switched ELinks back to OpenSSL because nss_compat_ossl is no longer maintained. Here is the backported upstream patch I applied to fix this vulnerability: http://pkgs.fedoraproject.org/cgit/elinks.git/tree/elinks-0.12pre6-ssl-hostname.patch?id=6e8e7242 Red Hat Product Security, could you please review the patch? Created attachment 1035386 [details] [PATCH] openssl: use the OpenSSL-provided host name check Hi Christian, thanks a lot for the suggestion! I have implemented it in the attached patch for ELinks. Would you be willing to do a review of the patch? It applies on the master branch of the upstream git repository: http://repo.or.cz/w/elinks.git Hi Kamil, I think your patch has at least one resource leak. You have to call X509_VERIFY_PARAM_free(vpm). Christian Created attachment 1037270 [details] [PATCH v2] openssl: use the OpenSSL-provided host name check (In reply to Christian Heimes from comment #23) > I think your patch has at least one resource leak. You have to call > X509_VERIFY_PARAM_free(vpm). Good catch! I mistakenly thought that SSL_set1_param() would take ownership of the allocated object. Could you please have a look at the improved version of that patch? (In reply to Kamil Dudka from comment #24) > Created attachment 1037270 [details] > [PATCH v2] openssl: use the OpenSSL-provided host name check proposed upstream: http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html (In reply to Kamil Dudka from comment #25) > (In reply to Kamil Dudka from comment #24) > > Created attachment 1037270 [details] > > [PATCH v2] openssl: use the OpenSSL-provided host name check > > proposed upstream: > > http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html Patch included in elinks-0.12-0.47.pre6.fc23: http://pkgs.fedoraproject.org/cgit/elinks.git/commit/?id=f94b7750 Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |