Bug 908463 (CVE-2013-0264) - CVE-2013-0264 cumin: server certificate validation is always disabled when connecting to Aviary servers
Summary: CVE-2013-0264 cumin: server certificate validation is always disabled when co...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-0264
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 908051 908505
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-06 18:39 UTC by Vincent Danen
Modified: 2023-05-11 21:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 11:00:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2013-02-06 18:39:23 UTC 
Trevor McKay discovered that, due to movement of code to aviary/python/aviary/clients.py, an import error was introduced inside of an exception block that tests for suport of server certificate validation over HTTP.  Because of this, server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it.  If an administrator had setup cumin, expecting server certificate validation, they would not realize it had been disabled unless they examined the web.log file.

This issue was introduced in the code refactoring in r5310.  Cumin has been built for all supported versions of Fedora at r5522, which contains the fault.  Current versions of Red Hat Enterprise MRG do not ship with the faulty code and are unaffected.


Statement:

Not vulnerable. This issue did not affect the versions of cumin as shipped with Red Hat Enterprise MRG 1 or 2.


Acknowledgements:

This issue was discovered by Trevor McKay of Red Hat.
Comment 1 Vincent Danen 2013-02-06 21:21:23 UTC 
Proposed patch:

Index: sage/python/sage/aviary/clients.py
===================================================================
--- sage/python/sage/aviary/clients.py	(revision 5672)
+++ sage/python/sage/aviary/clients.py	(working copy)
@@ -1,4 +1,6 @@
 import os
+import sage
+
 from suds.client import Client
 from sage.util import ObjectPool
 from suds.transport.https import HttpAuthenticated
@@ -7,10 +9,16 @@
 try:
     from sage.https_full import HTTPSFullCertTransport
     has_full_cert = True
-    technology = sage.https_full.technology
 except:
     has_full_cert = False
 
+technology = "unspecified"
+if has_full_cert:
+    try:
+        technology = sage.https_full.technology
+    except:
+        pass
+
 class TransportFactory(object):
     def __init__(self, key="", cert="", root_cert="", domain_verify=True):
         self.key = key
@@ -31,7 +39,7 @@
         else:
             log.info("%s: using client and server "\
                      "certificate validation for ssl connections, "\
-                     "solution is %s" % (where, clients.technology))
+                     "solution is %s" % (where, technology))
 
             log.info("%s: verify server domain against "\
                      "certificate during validation (%s)" \
Comment 2 Vincent Danen 2013-02-06 21:28:10 UTC 
Created cumin tracking bugs for this issue

Affects: fedora-all [bug 908505]
Comment 3 Trevor McKay 2013-02-13 18:48:59 UTC 
Patch has been committed on the cumin trunk, revision 5700
Note You need to log in before you can comment on or make changes to this bug.