[Bug 868353] Re: in apt-https Verify-Peer does not fail a connection on error

Launchpad Bug Tracker 868353 at bugs.launchpad.net
Mon Nov 28 15:09:31 UTC 2011 

This bug was fixed in the package apt - 0.7.25.3ubuntu9.9

---------------
apt (0.7.25.3ubuntu9.9) lucid-security; urgency=low

  * SECURITY UPDATE: sensitive information disclosure via incorrect
    hostname validation (LP: #868353)
    - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
    - CVE-2011-3634
  * SECURITY UPDATE: Restore apt-ket net-update functionality (LP: #857472)
    - cmdline/apt-key: improve key validation.
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Tue, 22 Nov 2011 13:56:02 -0500

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/868353

Title:
  in apt-https Verify-Peer does not fail a connection on error

Status in “apt” package in Ubuntu:
  Fix Released
Status in “apt” source package in Lucid:
  Fix Released
Status in “apt” source package in Maverick:
  Fix Released

Bug description:
  Description:    Ubuntu 10.04.3 LTS
  Release:        10.04
  Package:      apt-transport-https (0.7.25.3ubuntu9.7)

  I have enabled Verify-Peer in the https options for apt. The debug
  reads as follows:

  Trying 192.168.234.53...  connected
    Connected to 192.168.234.53 (192.168.234.53) port 443 (#0)
   found 149 certificates in /etc/ssl/certs/ca-certificates.crt
   SSL re-using session ID
          server certificate verification OK
          common name: 127.0.0.1 (does not match '192.168.234.53')
          server certificate expiration date OK
          server certificate activation date OK
          certificate public key: RSA
          certificate version: #3
          subject: CN=127.0.0.1
          start date: Fri, 30 Sep 2011 14:55:55 GMT
          expire date: Sun, 29 Sep 2013 14:55:55 GMT

  When checking the source I can see, that the following code is
  executed:

     // ... and hostname against cert CN or subjectAltName
     int default_verify = 2;
     bool verify = _config->FindB("Acquire::https::Verify-Host",true);
     knob = "Acquire::https::"+remotehost+"::Verify-Host";
     verify = _config->FindB(knob.c_str(),verify);
     if (!verify)
        default_verify = 0;
     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);

  
  According to documentation the CURLOPT_SSL_VERIFYHOST accepts the values 0, 1 and 2. The value 1 is not recommended, as it flags the non-matching hostname, but does not fail the connection. 
  The variable "default_verify" is set to 2 or 0 in the above code, but is not used. Instead the boolean variable "verify" is used in the call to set CURLOPT_SSL_VERIFYHOST. 

  Probably the default_verify should be used in this call.

  As the connection is not failed (but only logged), this might result
  in an connection to an unwanted host, thus the security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353/+subscriptions

More information about the foundations-bugs mailing list