Red Hat Bugzilla – Bug 817692
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid
Last modified: 2015-07-29 09:00:59 EDT
It was reported  that libsoup did not verify certificates if an application using it did not explicitly specify a file with trusted root certificate authorities. Because libsoup relies on the verification failure to clear the trust flag, it would always consider SSL connections as trusted in this circumstance.
SUSE has a patch to correct this flaw in libsoup 2.32.2 in their bugzilla . Looking at the patch, it would apply to earlier versions of libsoup as well.
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsoup reports that all SSL certificates are trusted, just like Midori asked.
To the extent that this is libsoup's fault, it's because it supports the feature Midori is trying to implement here, but doesn't document how to do it correctly. But it is *possible* to do it correctly, as seen in epiphany.
The SUSE patch is just wrong, as I'm sure they will notice shortly... (eg, it will completely break https in evolution).
(In reply to comment #1)
> To the extent that this is libsoup's fault, it's because it supports the
> feature Midori is trying to implement here, but doesn't document how to do it
(and the API in question wasn't sufficiently-thought-out in advance and ended up being easy to use incorrectly...)
Created attachment 581443 [details]
patch against libsoup 2.32
Created attachment 581614 [details]
patch against libsoup 2.34 (F15)
ok, apparently 2.34 had an intermediate version between the old old code in F14 and the new-and-improved code in F16.
Created libsoup tracking bugs for this issue
Affects: fedora-15 [bug 818231]
Created mingw32-libsoup tracking bugs for this issue
Affects: fedora-15 [bug 818232]
That's actually a different bug, though it's another aspect of the same confusing API.
This bug is "if ssl-strict is FALSE and ssl-ca-file is NULL, then [something confusing]", and we can fix it.
That bug is "if ssl-strict is *TRUE* and ssl-ca-file is NULL, then [something else confusing]", and we can't fix it (other than by documenting it better), because changing the behavior would break existing apps.
Hm... I was doing the "fedpkg update", and realized that the Midori problem can't actually happen in F15, because Midori (indirectly) depends on ca-certificates there. (midori -> webkitgtk -> libsoup -> glib-networking -> ca-certificates). So there are no actual known problems in any supported version of Fedora or RHEL caused by this bug.
Not vulnerable. This issue did not affect the versions of libsoup as shipped with Red Hat Enterprise Linux 5 and 6, as they do not include support for the SOUP_MESSAGE_CERTIFICATE_TRUSTED feature.