Red Hat Bugzilla – Bug 571817
CVE-2010-1192 CVE-2010-1194 libESMTP: Multiple certificate validation flaws
Last modified: 2015-07-31 02:25:24 EDT
Issue 1, -------- Kees Cook from Ubuntu Security Team pointed out: [1] http://www.openwall.com/lists/oss-security/2010/03/03/6 that libesmtp is prone to similar attack as CVE-2009-2408 for Firefox / NSS was: [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2408 Dan Kaminsky in his research paper: [4] http://ioactive.com/pdfs/PKILayerCake.pdf details inconsistencies in the interpretation of subject x509 names in certificates. Specifically "issue 2, attack 2c" regarding NULL terminators in a Common Name field. An attacker could create a malicious certificate containing a NULL, which, if they were able to get it signed, could confuse a client into accepting it by mistake. Issue 2, -------- Martin Lambers in relevant Debian bug report: [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191 pointed out that (quoting from [5]): "match_component() will accept two strings as equal if they start equal but don't have equal length. For example, match_domain("mail.example.com", "mailhub.example.com") and match_domain("mail.somewhere.com", "mail.somewhere-else.com") return 1, not 0." CVE Request: ------------ [6] http://www.openwall.com/lists/oss-security/2010/03/03/6
Created attachment 398839 [details] Local copy of libesmtp-match-component-DBTS#311191 patch Local copy of libESMTP match_component() patch, as applied in Debian (Debian BTS#311191). Extracted from: http://us.archive.ubuntu.com/ubuntu/pool/universe/libe/libesmtp/libesmtp_1.0.4-2.diff.gz
Post with proposed patch from Ludwig Nussel of SUSE: [7] http://www.openwall.com/lists/oss-security/2010/03/10/3
Created attachment 399130 [details] Local copy of proposed libESMTP SSL patch by Ludwig Nussel of SUSE
Created attachment 399131 [details] Proposed fix from Pawel Salek from yesterday
There's still on-going discussion about the fix for this issue: http://thread.gmane.org/gmane.comp.security.oss.general/2637
Common Vulnerabilities and Exposures assigned following identifiers to these issues: A, CVE-2010-1192 libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1192 [2] http://www.openwall.com/lists/oss-security/2010/03/03/6 [3] http://www.openwall.com/lists/oss-security/2010/03/09/3 B, CVE-2010-1194 The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1194 [2] http://www.openwall.com/lists/oss-security/2010/03/03/6 [3] http://www.openwall.com/lists/oss-security/2010/03/09/3 [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
Should this bug be closed now that there are much newer versions of libESMTP? Changelog (http://www.stafford.uklinux.net/libesmtp/ChangeLog.txt) mentions related changes though I did not look at the implementation details.
(In reply to Richard Zidlicky from comment #10) > Should this bug be closed now that there are much newer versions of libESMTP? It does not seem this ever got fixed in EPEL-5.
Created libesmtp tracking bugs for this issue: Affects: epel-5 [bug 1114552]
The libesmtp packages in the Red Hat Enterprise Linux 6 were fixed before the initial product release.