604855 – (CVE-2010-2074) CVE-2010-2074 w3m: doesn't handle NULL in Common Name properly

Bug 604855 (CVE-2010-2074) - CVE-2010-2074 w3m: doesn't handle NULL in Common Name properly

Summary: CVE-2010-2074 w3m: doesn't handle NULL in Common Name properly

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2074
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	604861 604862 604863 604864
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-16 20:53 UTC by Vincent Danen
Modified:	2019-09-29 12:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-12-27 15:52:13 UTC
Embargoed:

Attachments	(Terms of Use)
check for null bytes in CN/subjAltName (1.59 KB, application/octet-stream) 2010-06-16 21:03 UTC, Vincent Danen	no flags	Details
patch to force ssl_verify_server on and disable SSLv2 support (920 bytes, patch) 2010-06-16 21:05 UTC, Vincent Danen	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0565	0	normal	SHIPPED_LIVE	Moderate: w3m security update	2010-07-27 12:58:42 UTC

Description Vincent Danen 2010-06-16 20:53:30 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2074 to
the following vulnerability:

Name: CVE-2010-2074
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2074
Assigned: 20100525
Reference: MLIST:[oss-security] 20100614 CVE Request: w3m does not check null bytes CN/subjAltName
Reference: URL: http://www.openwall.com/lists/oss-security/2010/06/14/4
Reference: BID:40837
Reference: URL: http://www.securityfocus.com/bid/40837
Reference: SECUNIA:40134
Reference: URL: http://secunia.com/advisories/40134
Reference: VUPEN:ADV-2010-1467
Reference: URL: http://www.vupen.com/english/advisories/2010/1467

istream.c in w3m 0.5.2 and possibly other versions, when
ssl_verify_server is enabled, does not properly handle a '\0'
character in a domain name in the (1) subject's Common Name or (2)
Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority, a
related issue to CVE-2009-2408.

Comment 1 Vincent Danen 2010-06-16 21:01:37 UTC

As noted by Ludwig Nussel of the SUSE security team, w3m does not, by default, verify certificates, however the /etc/w3m/config configuration as supplied by Red Hat Enterprise Linux 5 and Fedora, do have "ssl_verify_server 1" set, so w3m is doing certificate verification by default.

Comment 2 Vincent Danen 2010-06-16 21:03:07 UTC

Created attachment 424590 [details]
check for null bytes in CN/subjAltName

Patch provided by Ludwig Nussel from the SUSE security team.

Comment 3 Vincent Danen 2010-06-16 21:05:14 UTC

Created attachment 424591 [details]
patch to force ssl_verify_server on and disable SSLv2 support

Patch provided by Ludwig Nussel from the SUSE security team.  We don't necessarily need this to enable SSL verification as we do that already, however this patch also disables the use of SSLv2 which we may want.

Comment 5 Vincent Danen 2010-06-16 21:13:26 UTC

Created w3m tracking bugs for this issue

Affects: fedora-all [bug 604864]

Comment 11 Fedora Update System 2010-06-22 10:46:12 UTC

w3m-0.5.2-18.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/w3m-0.5.2-18.fc13

Comment 12 Fedora Update System 2010-06-24 06:52:45 UTC

w3m-0.5.2-17.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/w3m-0.5.2-17.fc12

Comment 18 Fedora Update System 2010-07-08 18:28:04 UTC

w3m-0.5.2-18.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-07-20 22:46:23 UTC

w3m-0.5.2-17.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 errata-xmlrpc 2010-07-27 12:58:45 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0565 https://rhn.redhat.com/errata/RHSA-2010-0565.html

Comment 29 Parag Nemade 2012-12-27 15:52:13 UTC

Closing this as this is fixed in all needed product versions

Note You need to log in before you can comment on or make changes to this bug.