Re: rubygems insecure download (and other problems)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/15/2013 02:37 AM, Marcus Meissner wrote:
> On Wed, Aug 14, 2013 at 05:02:36PM -0400, Donald Stufft wrote:
> > On Aug 14, 2013, at 4:59 PM, Kurt Seifried <kseifried () redhat com>
> > wrote:
> >
> > > Signed PGP part I don't think this is CVE worthy, but it is
> > > worth fixing and not putting everyone at such risk:
> > >
> > > https://bugzilla.novell.com/show_bug.cgi?id=834785 
> > > https://bugzilla.redhat.com/show_bug.cgi?id=997179
> > >
> > > Problem #1: install /etc/gemrc to install gems via https rather
> > > than http
> > >
> > > everyone should be enabling HTTPS where possible, intercepting
> > > and modifying HTTP is trivial.
> > >
> > > Problem #2: it redirects to  production.cf.rubygems.org which
> > > is on cloudfront so has certificate mismatch, so either users
> > > have to accept insecurity, or... well there is no second choice
> > > =(.
> > >
> > > https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org
- - --
> > > Kurt Seifried Red Hat Security Response Team (SRT) PGP:
> > > 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> >
> > pip has a CVE for downloading via HTTP, does switching the gem to
> > HTTPS actually make gem verify it?
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
>
> Some SSL certificate issues in Ruby were also fixed...
>
> ... testing by pointing rubygems.org to another host with https
> gives:
>
> $ gem install foo ERROR:  Could not find a valid gem 'foo' (>= 0)
> in any repository ERROR:  While executing gem ...
> (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed
> (https://rubygems.org/latest_specs.4.8.gz) ...
>
> I think a "package management" solution that installs software on a
> system should have good security measurements by default these
> days, and trivial man-in-the-middle attacks should not be
> possible.
>
> So the implicit assumption "installing gems is secure" is violated
> here, which would require a CVE I think.
>
> Ciao, Marcus

Can someone generate a list of all the client software that pulls gems
insecurely from rubygems.org and post it here? thanks. I can't assign
CVE's to services, only to software.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSDQJKAAoJEBYNRVNeJnmTfgYQAMOtj1PiNc46aiuAoAVnAaKr
n9oH44SDMd/byjhfbSFuK+mRFlGgXynFSEdpu4dEZl8w5qQmTlHHdLlU7RIzVFfg
B8qOrr/KIYn50ftwlJI0Jik68o5bq3HamGi7B+E+cX53BYEz9zhI7jVP39WdnY0M
Dmoany+EiORK19ZPeg10dDVWfe5vwk0k/4i1h7xWp5rUThC6LmGcNpZCdEHgfZyA
auMOwZzneenav6HHMEa+Vh0N0uf9T1BeTHdVI4GHzepLxzSwuF5kgIu8Q3tXnGgU
6NEGfdv9KuA7Ivgz16jjUUiJEk/JdgbUaBECXUzdzdSDmSc6ow27IDbVLh0Yq0hW
FIyBz50q+0Wt+L7CsTZ8qfs3+Se0BSZt6XDkQwEA8x/wZPBfzIx59F8KGfZXu4sE
H895w4YdFlcY7bZEdEakd28aHZbKj2qD4/KlfmntXzs4HIMFO1CrLuJ8zaqX1ZTI
xRJZiX+Wur8f7Ftcx+ScjkRMC66PxGxIvqnFXKRxYlD+mPpm6zr0xfLw0buL5C4m
4ZUpy3xlWVfrS6wsaFoco9DALB0naaBVqwgXxMPqxi+cbt4u2+s+MjoZmNPTcitp
dj/GZQCruejr2iKkNfhUTfvSxlKEFPGxcBVx5nTjGcEGBsg1EOit1a4rsubt9V+z
In9YUH15QvITGMrbfkyl
=8leO
-----END PGP SIGNATURE-----