Warning vulnerability in elog : no SSL certificate verify
Shopping Ruan
rlq1969612634 at gmail.com
Fri Mar 31 10:38:16 UTC 2017
Hi developers:
Nowdays we made a large scale security static analysis on several open
source projects,and found some mistakes in elog-3.1.1-1.In the at src
/elog.c:300:
int ssl_connect(int sock, SSL ** ssl_con)
{
SSL_METHOD *meth;
SSL_CTX *ctx;
SSL_library_init();
SSL_load_error_strings();
meth = (SSL_METHOD *) TLSv1_method();
ctx = SSL_CTX_new(meth);
*ssl_con = SSL_new(ctx);
SSL_set_fd(*ssl_con, sock);
if (SSL_connect(*ssl_con) <= 0)
return -1;
return 0;
}
When finish the SSL connect, you immedicately start to execute
read/write operation without verify certificate,which can lead to MITM
attack and cause leakage of sensitive data.We recommand you add verify
operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to
guarantee the security.We have send the bug report to Ubuntu launchpad,and
also inform you of such news.Here are the link:
https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1677558
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170331/2f0a6fbe/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list