Re: CVE(-2007-xxxx?) request: telepathy-idle does not check SSL certificates

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 08:35 AM, Simon McVittie wrote:
> In versions prior to 0.1.15, telepathy-idle, an IRC backend for
> the Telepathy framework, does not check the server's SSL/TLS
> certificate for validity[1]. A network intermediary could use this
> flaw to carry out man-in-the-middle attacks on IRC users.
>
> This flaw has existed, and been flagged in the source code[2],
> since at least 2007 (the year in which telepathy-idle moved from
> Sourceforge to freedesktop.org). I don't know whether that means it
> should get an ID of the form CVE-2007-xxxx?
>
> The upcoming version 0.1.15 will fix this vulnerability.
>
> Versions 0.1.11 to 0.1.14 (which use GLib for TLS) carried out
> some cursory checks on the certificate, but did not check that the
> issuer was a trusted CA, that the identity matched the server's
> hostname, or that the certificate had not expired. A minimal patch
> to correct this is to delete the call to
> g_socket_client_set_tls_validation_flags() (this will make one
> regression test fail).
>
> Versions 0.1.10 and older (which use OpenSSL for TLS) do not have
> any support for certificate verification at all.

In general if you support SSL the assumption is you do it sanely, e.g.
verify certificates/hostnames/etc, because if not the whole thing is
useless since an attacker can MitM you easily (generally the thing SSL
is designed to stop). So worthy of a CVE generally.

Please use CVE-2013-2025for this issue.

> Regards, S
>
> [1] https://bugs.freedesktop.org/show_bug.cgi?id=63810 [2] "TODO
> sometime in the future implement certificate verification"




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfswTAAoJEBYNRVNeJnmTHmwP/iM+TZURUAWT3J2cckDRvuFX
Hsv8s0l87/tIaweB9ZerVNoL9K7KUbOvxOP96pcZ5VRD5I+h6lM+IWF3pEt6czEI
GmuXbhDa4gJ933slwPVlCI0ftoFcOTIVLmu6lRsFOseAtba4Q8D09RcnhQ/CTfeN
jWqXS29eGgR031N+q6GLNhn2RgfW1HSf7FCeKCwI8O5suNfpIZIQpmcfafw3fmh/
Pky6FiECzMQLYef7+KP0gLDQWVb75UEAhiUjF/RvwDgQ3nXimP0L+wWJd4eMmn6p
F/dQmFvGgHQKX+EKxdY/93hI4CU6ovchMvEORnvtX5AW2AwoAhn8zGGUYCOf+X2l
n/23bFvKL3pL89eQhg5LZyMwk5Xl29nah0XIlgWVlb8rIDLTyQNICjVb8xOWdHst
Q5ioo2tn7xiha+FY/KGg3yvAA+gM95TwFpSzX8WAh/TdikUZv7jCwonbnUTzqF/d
wmZZjZc+KGglu5Bzb42DQV91M++HaBAnhlePr4tsupR+nx/PDnMuerKWF+d36GQV
rBDA+5M12hUFESpTde3nXzqUvJ40sABBaJxGsUwe4BgFXZg4a8iv9RkVodTQXTm0
jYivAXXqS4FeeB9si4Jsn1uZlvzYHLldLYxIkzh31sdFFVpq/2MJ3eFxYnnESTrf
yvr6bTPFeCzfNW0n9UXN
=yTPh
-----END PGP SIGNATURE-----