Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 02 May 2014 14:54:33 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables
 peer certificate verification for IO::Socket::SSL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579

Package: libwww-perl
Version: 6.06-1
Tags: security
Usertags: serious

If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
server cerificate verification:

...

So the intention was to disable only hostname verification, for
compatibility with Crypt::SSLeay (why?!), but the effect is that the
SSL_verify_mode is set to 0.

So this probably needs a CVE. My thought being that you meant to
disable hostname checks, and ended up disabling all verification, so I
guess it's a fine line since disabling host name checks means an
attacker can use any C you trust to get a cert for a hostname they
control and mitm you, but if you are using an internal CA this would
allow a mitm that was not possible without this flaw, so there can be
a violation in a relatively not completely insane setup.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTZAYJAAoJEBYNRVNeJnmT9JsP/0qjZzubb5c4f05KTwEIlail
Oay7Z2eYXSipi3rg1M4JNHUXeE3M9bXp0IyUsmvfmS59EcHyC8tZN3IERLymSpvT
gfNoLKFYipUv/Dgu0bdt5HM3tKhl/pCHsJPvfoCnZR7bh8pa17XbckpmxwIajwqh
vZ6K6gI9SrlNycNUdo920/kstIkdc/FdpEpkRvRMOsMTD65l+3VMGKEGb55ekqqd
2yUZnw+Qza1frhFg6cSeeP/liyDijRVH4lbCSkjXdWy8gedHLpGreNsC7jgsckRQ
qlzKWiJbfRXSySx0OuczKFFVRWELaSmOThTEFsY1bDoM8GvPcJjbdZDVY7Yg62BX
HtlzshpOT7es1egJP5g88XvyJdxIu9j6UgTYlhvF017ZSVb5v6YhxaPN5EUVNTOk
EK3UobAdSokiJtLgZ4BSIQ41EdPco9BbSpd31/iPyTU733jkITSqRmMrYoCZyMnk
eO1yNrX4QdyaIhAnbLhvCyGVOIi/ytjCIBGwjw/Prx1G2gTy67yH2eYFyIOGpTbb
EvdVDm2tzw4l5lC4SUwKNvVWawtbtoeCp8nAI9KzTG7uL97GrLmku3WnoCe7zsKz
BzlXHWUshR3PcaDS7PeyfWlke+pt1KeSdj97pBvLnyWbAQZE7sLHCDnuUyCtFg6K
jPcqe01NT37NR3QOMZtY
=APK7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ