[Bug 1556330] [NEW] upstream curl bug #1371: p12 client certificates code is broken
Launchpad Bug Tracker
1556330 at bugs.launchpad.net
Sat Mar 12 00:44:26 UTC 2016
You have been subscribed to a public bug by Mathew Hodson (mathew-hodson):
The following bug from upstream libcurl should be fixed in Ubuntu Stable
and Ubuntu LTS trains:
https://sourceforge.net/p/curl/bugs/1371/
The bug fix consists of one missing break statement at the end of a case
in a switch statement.
I personally patched the bug using source code release
curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it
does indeed fix the bug and all of the package's tests still pass
afterwards.
Impact: The bug makes it impossible to use PKCS#12 secure storage of
client certificates and private keys with any affected Ubuntu releases.
The fix is one line fixing a broken switch statement and was already
tested against Ubuntu 14.04 LTS with a rebuilt curl package.
Testing: The bug can be reproduced using the following libcurl
parameters (even via CLI, pycurl, etc.).
CURLOPT_SSLCERTTYPE == "P12"
CURLOPT_SSLCERT = path to PKCS#12
CURLOPT_SSLKEY = path to PKCS#12
CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed
Basically, just use a PKCS#12 format client certificate and private key
against some certificate protected web server.
Regression Potential: If it could possibly break anything, which is
extraordinarily unlikely, it would break one of the three client
certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3
formats is already broken due to the bug. Client certificates of all
three types could be checked to prevent this.
** Affects: curl (Ubuntu)
Importance: Medium
Status: Fix Released
** Tags: patch
--
upstream curl bug #1371: p12 client certificates code is broken
https://bugs.launchpad.net/bugs/1556330
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list