[Bug 1556330] Re: upstream curl bug #1371: p12 client certificates code is broken

Ubuntu Foundations Team Bug Bot 1556330 at bugs.launchpad.net
Sat Mar 12 00:23:15 UTC 2016 

The attachment "official libcurl patch from Daniel Stenberg" seems to be
a patch.  If it isn't, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are a member of the
~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1556330

Title:
  upstream curl bug #1371: p12 client certificates code is broken

Status in curl package in Ubuntu:
  New

Bug description:
  The following bug from upstream libcurl should be fixed in Ubuntu
  Stable and Ubuntu LTS trains:

  https://sourceforge.net/p/curl/bugs/1371/

  The bug fix consists of one missing break statement at the end of a
  case in a switch statement.

  I personally patched the bug using source code release
  curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it
  does indeed fix the bug and all of the package's tests still pass
  afterwards.

  Impact: The bug makes it impossible to use PKCS#12 secure storage of
  client certificates and private keys with any affected Ubuntu
  releases. The fix is one line fixing a broken switch statement and was
  already tested against Ubuntu 14.04 LTS with a rebuilt curl package.

  Testing: The bug can be reproduced using the following libcurl
  parameters (even via CLI, pycurl, etc.).

  CURLOPT_SSLCERTTYPE == "P12"
  CURLOPT_SSLCERT = path to PKCS#12
  CURLOPT_SSLKEY = path to PKCS#12
  CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed

  Basically, just use a PKCS#12 format client certificate and private
  key against some certificate protected web server.

  Regression Potential: If it could possibly break anything, which is
  extraordinarily unlikely, it would break one of the three client
  certificate formats (most likely PKCS#12 but also PEM or DER). Note
  1/3 formats is already broken due to the bug. Client certificates of
  all three types could be checked to prevent this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1556330/+subscriptions

More information about the foundations-bugs mailing list