Bug 817692 - (CVE-2012-2132) CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120423,reported=2...
: Security
Depends On: 818231 818232
Blocks: 817693
  Show dependency treegraph
 
Reported: 2012-04-30 18:40 EDT by Vincent Danen
Modified: 2015-07-29 09:00 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-14 02:17:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch against libsoup 2.32 (2.11 KB, patch)
2012-05-01 14:43 EDT, Dan Winship
no flags Details | Diff
patch against libsoup 2.34 (F15) (2.93 KB, patch)
2012-05-02 09:19 EDT, Dan Winship
no flags Details | Diff

  None (edit)
Description Vincent Danen 2012-04-30 18:40:52 EDT
It was reported [1] that libsoup did not verify certificates if an application using it did not explicitly specify a file with trusted root certificate authorities.  Because libsoup relies on the verification failure to clear the trust flag, it would always consider SSL connections as trusted in this circumstance.

SUSE has a patch to correct this flaw in libsoup 2.32.2 in their bugzilla [2].  Looking at the patch, it would apply to earlier versions of libsoup as well.

[1] https://bugzilla.novell.com/show_bug.cgi?id=758431
[2] https://bugzillafiles.novell.org/attachment.cgi?id=487674
Comment 1 Dan Winship 2012-05-01 10:45:08 EDT
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsoup reports that all SSL certificates are trusted, just like Midori asked.

To the extent that this is libsoup's fault, it's because it supports the feature Midori is trying to implement here, but doesn't document how to do it correctly. But it is *possible* to do it correctly, as seen in epiphany.

The SUSE patch is just wrong, as I'm sure they will notice shortly... (eg, it will completely break https in evolution).
Comment 2 Dan Winship 2012-05-01 10:51:13 EDT
(In reply to comment #1)
> To the extent that this is libsoup's fault, it's because it supports the
> feature Midori is trying to implement here, but doesn't document how to do it
> correctly

(and the API in question wasn't sufficiently-thought-out in advance and ended up being easy to use incorrectly...)
Comment 4 Dan Winship 2012-05-01 14:43:19 EDT
Created attachment 581443 [details]
patch against libsoup 2.32
Comment 6 Dan Winship 2012-05-02 09:19:30 EDT
Created attachment 581614 [details]
patch against libsoup 2.34 (F15)

ok, apparently 2.34 had an intermediate version between the old old code in F14 and the new-and-improved code in F16.
Comment 8 Stefan Cornelius 2012-05-02 10:13:44 EDT
Created libsoup tracking bugs for this issue

Affects: fedora-15 [bug 818231]
Comment 9 Stefan Cornelius 2012-05-02 10:13:49 EDT
Created mingw32-libsoup tracking bugs for this issue

Affects: fedora-15 [bug 818232]
Comment 10 Vincent Danen 2012-05-02 18:15:56 EDT
Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=666280
Comment 11 Dan Winship 2012-05-03 08:52:56 EDT
That's actually a different bug, though it's another aspect of the same confusing API.

This bug is "if ssl-strict is FALSE and ssl-ca-file is NULL, then [something confusing]", and we can fix it.

That bug is "if ssl-strict is *TRUE* and ssl-ca-file is NULL, then [something else confusing]", and we can't fix it (other than by documenting it better), because changing the behavior would break existing apps.
Comment 12 Dan Winship 2012-05-03 11:18:08 EDT
Hm... I was doing the "fedpkg update", and realized that the Midori problem can't actually happen in F15, because Midori (indirectly) depends on ca-certificates there. (midori -> webkitgtk -> libsoup -> glib-networking -> ca-certificates). So there are no actual known problems in any supported version of Fedora or RHEL caused by this bug.
Comment 13 Stefan Cornelius 2012-05-03 12:22:44 EDT
Statement:

Not vulnerable. This issue did not affect the versions of libsoup as shipped with Red Hat Enterprise Linux 5 and 6, as they do not include support for the SOUP_MESSAGE_CERTIFICATE_TRUSTED feature.

Note You need to log in before you can comment on or make changes to this bug.