[Bug 1556330] Re: upstream curl bug #1371: p12 client certificates code is broken
Chris J Arges
1556330 at bugs.launchpad.net
Wed Apr 20 13:38:15 UTC 2016
Hello Matthew, or anyone else affected,
Accepted curl into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.7
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: curl (Ubuntu Trusty)
Status: In Progress => Fix Committed
** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1556330
Title:
upstream curl bug #1371: p12 client certificates code is broken
Status in curl package in Ubuntu:
Fix Released
Status in curl source package in Trusty:
Fix Committed
Bug description:
[Impact]
The bug makes it impossible to use PKCS#12 secure storage of client
certificates and private keys with any affected Ubuntu releases. The
fix is one line fixing a broken switch statement and was already
tested against Ubuntu 14.04 LTS with a rebuilt curl package.
This was fixed in upstream libcurl in the following bug:
https://sourceforge.net/p/curl/bugs/1371/
The bug fix consists of one missing break statement at the end of a
case in a switch statement.
I personally patched the bug using source code release
curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it
does indeed fix the bug and all of the package's tests still pass
afterwards.
[Test Case]
The bug can be reproduced using the following libcurl parameters (even
via CLI, pycurl, etc.).
CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed
Basically, just use a PKCS#12 format client certificate and private
key against some certificate protected web server.
[Regression Potential]
If it could possibly break anything, which is extraordinarily
unlikely, it would break one of the three client certificate formats
(most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already
broken due to the bug. Client certificates of all three types could be
checked to prevent this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1556330/+subscriptions
More information about the Ubuntu-sponsors
mailing list