Bug 1204653 (CVE-2015-2330) - CVE-2015-2330 webkitgtk: TLS certificate late verification
Summary: CVE-2015-2330 webkitgtk: TLS certificate late verification
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-2330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1204654 1204655 1204657 1204658
Blocks: 1204669
TreeView+ depends on / blocked
 
Reported: 2015-03-23 10:11 UTC by Martin Prpič
Modified: 2021-06-13 21:03 UTC (History)
7 users (show)

Fixed In Version: WebKitGTK+ 2.6.5, WebKitGTK+ 2.4.8
Clone Of:
Environment:
Last Closed: 2021-06-13 21:03:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Prpič 2015-03-23 10:11:28 UTC 
It was found that WebKitGTK+ version 2.7.92 and earlier performed TLS certificate verification too late, after sending an HTTP request rather than before.

Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.)

Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves.
Comment 1 Martin Prpič 2015-03-23 10:15:34 UTC 
Created webkitgtk tracking bugs for this issue:

Affects: epel-7 [bug 1204658]
Comment 2 Martin Prpič 2015-03-23 10:15:37 UTC 
Created mingw-webkitgtk tracking bugs for this issue:

Affects: epel-7 [bug 1204657]
Comment 3 Martin Prpič 2015-03-23 10:16:39 UTC 
Created mingw-webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 1204654]

Created webkitgtk tracking bugs for this issue:

Affects: fedora-all [bug 1204655]
Comment 4 Martin Prpič 2015-03-23 10:32:36 UTC 
Turns out the versioning in Fedora is a bit different and the tracking bugs for Fedora and EPEL should not have been filed:

Fedora and EPEL-7 contain webkitgtk, webkitgtk3, and webkitgtk4. webkitgtk3 and webkitgtk are the same sources with the latter being built as a version for gtk+-2.0 with disabled webkit2. On F21, webkitgtk3 WebKit2 is disabled due to the existence of webkitgtk4. To summarize:

F22, F23: webkitgtk4 fix included in the 2.7.92 update
F21: webkitgtk4 (webkitgtk3 unaffected because of --disable-webkit2)
F20: webkitgtk3 (webkitgtk4 does not exist yet)

RHEL 6 ships WebKitGTK version 1, which is not affected by this flaw. RHEL 7 does ship the affected version of WebKitGTK.
Comment 5 Huzaifa S. Sidhpurwala 2015-03-25 04:08:46 UTC 
Upstream patch:

http://trac.webkit.org/changeset/181074

Webkit connects to the get-headers callback from libsoup, where it verifies the identity of the SSL connection, but by this time it has already started exchange of private data. 

In gvfs-ftps verification is done from "notify::tls-errors" before any private data is really sent. 

Evolution has a complicated mechanism for handling this. It connects to the "network-event" signal, and then when the handshake occurs, casts the connection to a GTlsConnection, and connects to the accept-certificate callback. 

Therefore evolution is not affected by this issue.
Comment 6 Huzaifa S. Sidhpurwala 2015-03-25 04:10:17 UTC 
Statement:

This issue affects the version of webkitgtk3 package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact, a future update may address this flaw.

This issue does not affect the version of webkitgtk package as shipped with Red Hat Enterprise Linux 6.
Comment 7 Product Security DevOps Team 2021-06-13 21:03:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-2330
Note You need to log in before you can comment on or make changes to this bug.