[Bug 1036839] Re: Quantal software-properties incorrectly validating ssl certs
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Aug 14 21:09:31 UTC 2012
This new issue has been assigned CVE-2012-0955
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1036839
Title:
Quantal software-properties incorrectly validating ssl certs
Status in “software-properties” package in Ubuntu:
New
Bug description:
The python3 migration of software-properties causes it to incorrectly
validate ssl certificates, leading to a MITM being able to compromise
a remote system. It basically reverts the fix for LP: 915210.
from softwareproperties/ppa.py:
<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
try:
lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
except TypeError:
lp_page = urllib2.urlopen(request)
When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1036839/+subscriptions
More information about the foundations-bugs
mailing list