Bug 908463 (CVE-2013-0264)

Summary: CVE-2013-0264 cumin: server certificate validation is always disabled when connecting to Aviary servers
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: croberts, jrusnack, matt, security-response-team, sgraf, tmckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 908051, 908505    
Bug Blocks:    

Description Vincent Danen 2013-02-06 18:39:23 UTC 
Trevor McKay discovered that, due to movement of code to aviary/python/aviary/clients.py, an import error was introduced inside of an exception block that tests for suport of server certificate validation over HTTP.  Because of this, server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it.  If an administrator had setup cumin, expecting server certificate validation, they would not realize it had been disabled unless they examined the web.log file.

This issue was introduced in the code refactoring in r5310.  Cumin has been built for all supported versions of Fedora at r5522, which contains the fault.  Current versions of Red Hat Enterprise MRG do not ship with the faulty code and are unaffected.


Statement:

Not vulnerable. This issue did not affect the versions of cumin as shipped with Red Hat Enterprise MRG 1 or 2.


Acknowledgements:

This issue was discovered by Trevor McKay of Red Hat.
Comment 1 Vincent Danen 2013-02-06 21:21:23 UTC 
Proposed patch:

Index: sage/python/sage/aviary/clients.py
===================================================================
--- sage/python/sage/aviary/clients.py	(revision 5672)
+++ sage/python/sage/aviary/clients.py	(working copy)
@@ -1,4 +1,6 @@
 import os
+import sage
+
 from suds.client import Client
 from sage.util import ObjectPool
 from suds.transport.https import HttpAuthenticated
@@ -7,10 +9,16 @@
 try:
     from sage.https_full import HTTPSFullCertTransport
     has_full_cert = True
-    technology = sage.https_full.technology
 except:
     has_full_cert = False
 
+technology = "unspecified"
+if has_full_cert:
+    try:
+        technology = sage.https_full.technology
+    except:
+        pass
+
 class TransportFactory(object):
     def __init__(self, key="", cert="", root_cert="", domain_verify=True):
         self.key = key
@@ -31,7 +39,7 @@
         else:
             log.info("%s: using client and server "\
                      "certificate validation for ssl connections, "\
-                     "solution is %s" % (where, clients.technology))
+                     "solution is %s" % (where, technology))
 
             log.info("%s: verify server domain against "\
                      "certificate during validation (%s)" \
Comment 2 Vincent Danen 2013-02-06 21:28:10 UTC 
Created cumin tracking bugs for this issue

Affects: fedora-all [bug 908505]
Comment 3 Trevor McKay 2013-02-13 18:48:59 UTC 
Patch has been committed on the cumin trunk, revision 5700