oss-sec mailing list archives
Re: CVE request: Curl insecure usage
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Tue, 27 Nov 2012 17:55:14 -0500 (EST)
Kurt,My read is that these are fairly straightforward issues, although the number of implementations with this problem may be rather high :-(
opendnssec calls libcurl with an incorrect value "true" that's effectively treated as the number 1, which is an insecure CURLOPT_SSL_VERIFYHOST value. So, opendnssec didn't call the API correctly - so the problem rests with opendnssec.
For the handful of people interested - this is a kind of type confusion or incorrect conversion error that affects a language other than C! Kinda cute.
For PHPcas, this is just calling the API with an insecure CURLOPT_SSL_VERIFYHOST value, period.
So, I'd say that these faulty implementations each deserve their own CVE, instead of a single ID for Curl.
- Steve On Mon, 26 Nov 2012, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:Hi, during the triage of the SSL client bugs spotted by the http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian developer Alessandro Ghedini discovered two more applications using Curl in an insecure manner: 1. opendnssec (in the eppclient tool) http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html 2. PHPcas (used by Moodle e.g.): https://github.com/Jasig/phpCAS/pull/58 Please assign CVE IDs for these. Cheers, MoritzHave these been receiving individual CVE's? I can't find any offhand, can you provide examples of others? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQs7giAAoJEBYNRVNeJnmTDM4QALlcub2QiCRwLG6hkUOfpMJa EbWePTQ2DeShhmnCW1nFrbFQQWpzAQBvJdGmoS45L33ikv3FN5LJKblQ7PTYgHV0 AMluclPdvrF9szXYpAfREga+YlUbrMkzZnR1p3KTApeKaOMqE1gX41+2waXMqL73 I0p/eLalMP35+lNJJZRK2dE9dZ70f7GRCbfOTgvAV+LWWcyxOYm6RnS8iyfW4UIs j3SFIAVya5xXvsKvlhsXtYQaqXpdlcIXkNUBgtCi1ECXt2kAfQEsdhS6B6fSoWAR Nw3bFFiYjCpS5Ek+cpeLWNvklKr27JMchYyN7QYIq99U+2vS2uBAv5o8+cas0xzL I33GhffxhthjROt3zfmv3oQhKgTAMaDSbC781gSxdU0h1xPwFolXq8h6ebJRBPwU BRtnMpwgvM1Cw9EBSeoEA1+wZH1cahSeghT5GAkedn2F1Qn1CykQlQ/3AvXkohCp O+uYq++7K4iYTz4Fjk71pTCzoaeLslDts3g0THRUE7AecKp0jREJ7fZp8Y6C8hYO BEbb7GBphW9wYvRJMOQ7ILQbjfdE1gaSLF1qG2/zdoxmZqmdc6mY7zh8MeS27aUV YcVeBblMyd+BgVzgDl7ZBcLJgwwH90jysUeG/i2NDlQuDDEP9CFNtfRGzXVNlLM+ 0hkHSxVzqagWo/TNFQyn =s0Km -----END PGP SIGNATURE-----
Current thread:
- CVE request: Curl insecure usage Moritz Muehlenhoff (Nov 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 28)
- Re: CVE request: Curl insecure usage Fabian Keil (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Mühlenhoff (Nov 29)
- Re: CVE request: Curl insecure usage Moritz Muehlenhoff (Dec 26)
- Re: CVE request: Curl insecure usage Kurt Seifried (Dec 27)
- Re: CVE request: Curl insecure usage Steven M. Christey (Nov 27)
- Re: CVE request: Curl insecure usage Kurt Seifried (Nov 26)