Bug 881399 (CVE-2012-6709) - CVE-2012-6709 elinks/links: does not properly verify SSL certificates
Summary: CVE-2012-6709 elinks/links: does not properly verify SSL certificates
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2012-6709
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20121128,repor...
Depends On: 881409 881410 881411 910815 1533165 1533166
Blocks: 881405
TreeView+ depends on / blocked
 
Reported: 2012-11-28 20:34 UTC by Vincent Danen
Modified: 2019-06-08 19:20 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-20 14:30:57 UTC


Attachments (Terms of Use)
[PATCH] openssl: use the OpenSSL-provided host name check (3.79 KB, patch)
2015-06-05 17:11 UTC, Kamil Dudka
no flags Details | Diff
[PATCH v2] openssl: use the OpenSSL-provided host name check (3.40 KB, patch)
2015-06-10 12:46 UTC, Kamil Dudka
no flags Details | Diff

Description Vincent Danen 2012-11-28 20:34:34 UTC
A Debian bug report [1] indicated that Links does not properly verify SSL certificates.  If you visit a web site with an expired SSL certificate, Links will only display "SSL error" without any indication as to what the error was.  This, in and of itself, is not a flaw however when testing, I found that when you go to a site with a valid SSL certificate, but for a different hostname (for example, if you go to https://alias.foo.com which might be a CNAME or a proxy for https://foo.com) Links will connect without any errors or warnings.  Doing the same in a browser like Google Chrome, however, reports "You attempted to reach alias.foo.com, but instead you actually reached a server identifying itself as foo.com." and allows you to either proceed or not, before loading the site.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658

Comment 1 Vincent Danen 2012-11-28 20:42:13 UTC
Elinks suffers from the same thing, and I suspect they have similar code with regards to SSL handling as Elinks originated from Links.

Comment 2 Vincent Danen 2012-11-28 20:55:41 UTC
Created elinks tracking bugs for this issue

Affects: fedora-all [bug 881411]

Comment 3 Vincent Danen 2012-11-28 20:55:44 UTC
Created links tracking bugs for this issue

Affects: fedora-all [bug 881409]
Affects: epel-6 [bug 881410]

Comment 10 Fedora Update System 2013-10-13 19:51:37 UTC
elinks-0.12-0.36.pre6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-10-14 07:03:00 UTC
elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-10-14 07:08:35 UTC
elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-10-14 17:12:26 UTC
elinks-0.12-0.35.pre6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-10-14 17:20:33 UTC
elinks-0.12-0.33.pre6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Murray McAllister 2014-03-07 05:35:57 UTC
Debian report about elinks not checking the hostname matches the certificate's Common Name or subjectAltName:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740981

Seems to be fixed by the patch in bug 881411

Comment 16 Vincent Danen 2014-05-20 12:34:08 UTC
Note that the patch used in Fedora seems to be broken, at least in Fedora 20 as per https://bugzilla.redhat.com/show_bug.cgi?id=881411#c22.  Another bug #1099423 has more details there.

Comment 17 Kamil Dudka 2015-03-30 14:42:45 UTC
I have switched ELinks back to OpenSSL because nss_compat_ossl is no longer maintained.

Here is the backported upstream patch I applied to fix this vulnerability:

http://pkgs.fedoraproject.org/cgit/elinks.git/tree/elinks-0.12pre6-ssl-hostname.patch?id=6e8e7242

Red Hat Product Security, could you please review the patch?

Comment 22 Kamil Dudka 2015-06-05 17:11:15 UTC
Created attachment 1035386 [details]
[PATCH] openssl: use the OpenSSL-provided host name check

Hi Christian,

thanks a lot for the suggestion!  I have implemented it in the attached patch for ELinks.  Would you be willing to do a review of the patch?

It applies on the master branch of the upstream git repository:

http://repo.or.cz/w/elinks.git

Comment 23 Christian Heimes 2015-06-09 13:42:02 UTC
Hi Kamil,

I think your patch has at least one resource leak. You have to call X509_VERIFY_PARAM_free(vpm).

Christian

Comment 24 Kamil Dudka 2015-06-10 12:46:31 UTC
Created attachment 1037270 [details]
[PATCH v2] openssl: use the OpenSSL-provided host name check

(In reply to Christian Heimes from comment #23)
> I think your patch has at least one resource leak. You have to call
> X509_VERIFY_PARAM_free(vpm).

Good catch!  I mistakenly thought that SSL_set1_param() would take ownership of the allocated object.  Could you please have a look at the improved version of that patch?

Comment 25 Kamil Dudka 2015-06-30 10:39:07 UTC
(In reply to Kamil Dudka from comment #24)
> Created attachment 1037270 [details]
> [PATCH v2] openssl: use the OpenSSL-provided host name check

proposed upstream:

http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html

Comment 26 Kamil Dudka 2015-07-07 11:50:30 UTC
(In reply to Kamil Dudka from comment #25)
> (In reply to Kamil Dudka from comment #24)
> > Created attachment 1037270 [details]
> > [PATCH v2] openssl: use the OpenSSL-provided host name check
> 
> proposed upstream:
> 
> http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html

Patch included in elinks-0.12-0.47.pre6.fc23:

http://pkgs.fedoraproject.org/cgit/elinks.git/commit/?id=f94b7750

Comment 43 Stefan Cornelius 2018-03-20 14:31:12 UTC
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.