[Bug 1556330] Re: upstream curl bug #1371: p12 client certificates code is broken

Sat Mar 12 00:49:46 UTC 2016

** Description changed:

- The following bug from upstream libcurl should be fixed in Ubuntu Stable
- and Ubuntu LTS trains:
+ [Impact]
+ 
+ The bug makes it impossible to use PKCS#12 secure storage of client
+ certificates and private keys with any affected Ubuntu releases. The fix
+ is one line fixing a broken switch statement and was already tested
+ against Ubuntu 14.04 LTS with a rebuilt curl package.
+ 
+ This was fixed in upstream libcurl in the following bug:

  https://sourceforge.net/p/curl/bugs/1371/

  The bug fix consists of one missing break statement at the end of a case
  in a switch statement.

  I personally patched the bug using source code release
  curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it
  does indeed fix the bug and all of the package's tests still pass
  afterwards.

- Impact: The bug makes it impossible to use PKCS#12 secure storage of
- client certificates and private keys with any affected Ubuntu releases.
- The fix is one line fixing a broken switch statement and was already
- tested against Ubuntu 14.04 LTS with a rebuilt curl package.
+ [Test Case]

- Testing: The bug can be reproduced using the following libcurl
- parameters (even via CLI, pycurl, etc.).
+ The bug can be reproduced using the following libcurl parameters (even
+ via CLI, pycurl, etc.).

  CURLOPT_SSLCERTTYPE == "P12"
  CURLOPT_SSLCERT = path to PKCS#12
  CURLOPT_SSLKEY = path to PKCS#12
  CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed

  Basically, just use a PKCS#12 format client certificate and private key
  against some certificate protected web server.

- Regression Potential: If it could possibly break anything, which is
- extraordinarily unlikely, it would break one of the three client
- certificate formats (most likely PKCS#12 but also PEM or DER). Note 1/3
- formats is already broken due to the bug. Client certificates of all
- three types could be checked to prevent this.
+ [Regression Potential]
+ 
+ If it could possibly break anything, which is extraordinarily unlikely,
+ it would break one of the three client certificate formats (most likely
+ PKCS#12 but also PEM or DER). Note 1/3 formats is already broken due to
+ the bug. Client certificates of all three types could be checked to
+ prevent this.

** Tags added: trusty

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1556330

Title:
  upstream curl bug #1371: p12 client certificates code is broken

Status in curl package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

  The bug makes it impossible to use PKCS#12 secure storage of client
  certificates and private keys with any affected Ubuntu releases. The
  fix is one line fixing a broken switch statement and was already
  tested against Ubuntu 14.04 LTS with a rebuilt curl package.

  This was fixed in upstream libcurl in the following bug:

  https://sourceforge.net/p/curl/bugs/1371/

  The bug fix consists of one missing break statement at the end of a
  case in a switch statement.

  I personally patched the bug using source code release
  curl_7.35.0-1ubuntu2.6.dsc, used in Ubuntu 14.04 LTS, and verified it
  does indeed fix the bug and all of the package's tests still pass
  afterwards.

  [Test Case]

  The bug can be reproduced using the following libcurl parameters (even
  via CLI, pycurl, etc.).

  CURLOPT_SSLCERTTYPE == "P12"
  CURLOPT_SSLCERT = path to PKCS#12
  CURLOPT_SSLKEY = path to PKCS#12
  CURLOPT_SSLKEYPASSWD = key for PKCS#12 if needed

  Basically, just use a PKCS#12 format client certificate and private
  key against some certificate protected web server.

  [Regression Potential]

  If it could possibly break anything, which is extraordinarily
  unlikely, it would break one of the three client certificate formats
  (most likely PKCS#12 but also PEM or DER). Note 1/3 formats is already
  broken due to the bug. Client certificates of all three types could be
  checked to prevent this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1556330/+subscriptions