oss-sec mailing list archives

Re: CVE request: xchat/hexchat don't properly verify SSL certificates

From: jmm () debian org
Date: Sun, 22 Feb 2015 19:58:22 +0100

On Thu, Jan 29, 2015 at 11:52:08AM -0700, Vincent Danen wrote:

As reported [1]:

XChat did not verify that the server hostname matched the domain name in the
subject's Common Name (CN) or subjectAltName field in X.509 certificates.
This could allow a man-in-the-middle attacker to spoof an SSL server if they
had a certificate that was valid for any domain name.

The same code is used in hexchat.

This was initially reported to hexchat in 2013 [2] and fixed last November
[3].  I'm not sure if it should receive a 2013 or a 2014 CVE.  Can one be
assigned to this?

Thanks.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1081839
[2] https://github.com/hexchat/hexchat/issues/524
[3] https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d


This seems to have fallen through the cracks, explicitly
adding cve-assign to CC.

Cheers,
        Moritz

Current thread:

CVE request: xchat/hexchat don't properly verify SSL certificates Vincent Danen (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
  - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Reed Loden (Jan 29)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Daniel Kahn Gillmor (Jan 29)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Michael Samuel (Jan 30)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Kurt Seifried (Jan 30)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates TingPing (Jan 30)
    - Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sven Schwedas (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates jmm (Feb 22)