[Bug 1036839] [NEW] Quantal software-properties incorrectly validating ssl certs

Marc Deslauriers marc.deslauriers at canonical.com
Tue Aug 14 21:05:36 UTC 2012 

*** This bug is a security vulnerability ***

Public security bug reported:

The python3 migration of software-properties causes it to incorrectly
validate ssl certificates, leading to a MITM being able to compromise a
remote system. It basically reverts the fix for LP: 915210.

from softwareproperties/ppa.py:

<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
    try:
        lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
    except TypeError:
        lp_page = urllib2.urlopen(request)

When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.

** Affects: software-properties (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: rls-q-incoming

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4407

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1036839

Title:
  Quantal software-properties incorrectly validating ssl certs

Status in “software-properties” package in Ubuntu:
  New

Bug description:
  The python3 migration of software-properties causes it to incorrectly
  validate ssl certificates, leading to a MITM being able to compromise
  a remote system. It basically reverts the fix for LP: 915210.

  from softwareproperties/ppa.py:

  <snip>
  # None means use the system default SSL store.
  # Otherwise a path to a file is expected (as a bundle of certs)
  LAUNCHPAD_PPA_CERT = None
  <snip>
      try:
          lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
      except TypeError:
          lp_page = urllib2.urlopen(request)

  When running under python2, urllib2 does _not_ do ssl certificate checking.
  When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1036839/+subscriptions

More information about the foundations-bugs mailing list