Re: CVE request: xchat/hexchat don't properly verify SSL certificates

[Sam Dodrill <shadow.h511 () gmail com>]

A lot of the time IRC networks will not pay for a verified SSL cert due to
the fact that the kind of SSL cert they would need (a wildcard one) is
financially prohibitive. I don't think this is a security bug with hexchat
more a symptom of the fact that SSL combines encryption and identity
verification where sometimes people only want the former.

On Thu Jan 29 2015 at 10:58:51 AM Marc Deslauriers <
marc.deslauriers () canonical com> wrote:

> On 2015-01-29 01:52 PM, Vincent Danen wrote:
> > As reported [1]:
> >
> > XChat did not verify that the server hostname matched the domain name in
> the
> > subject's Common Name (CN) or subjectAltName field in X.509
> certificates. This
> > could allow a man-in-the-middle attacker to spoof an SSL server if they
> had a
> > certificate that was valid for any domain name.
> >
> > The same code is used in hexchat.
> >
> > This was initially reported to hexchat in 2013 [2] and fixed last
> November [3].
> > I'm not sure if it should receive a 2013 or a 2014 CVE.  Can one be
> assigned to
> > this?
> >
> > Thanks.
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1081839
> > [2] https://github.com/hexchat/hexchat/issues/524
> > [3]
> > https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a
> 4910a7e02d
> >
>
> Looks like XChat-GNOME is vulnerable also.
>
> Marc.
>
>
> --
> Marc Deslauriers
> Ubuntu Security Engineer     | http://www.ubuntu.com/
> Canonical Ltd.               | http://www.canonical.com/