Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 May 2014 16:19:14 -0400 (EDT)
From: cve-assign@...re.org
To: kseifried@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
> Package: libwww-perl
> setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable

This is apparently still being investigated upstream, with
https://github.com/libwww-perl/lwp-protocol-https/pull/14 updated as
recently as this afternoon. The set of issues is unusual and may
ultimately require more than one CVE ID.

At the moment, it seems that the most straightforward CVE assignment
is for the following statement in
https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42328818

  "If you google for HTTPS_CA_FILE you will probably only find
   references to LWP/Crypt::SSLeay. So, in a way, it makes sense to
   special case this because these are mostly users of the older LWP
   versions."

This seems to be, more or less, equivalent to "the behavior of the
product is determined by using somewhat arbitrary environment
variables that, in practice, are correlated with whether the user may
desire a 'compatibility mode' with different security properties, even
though this correlation isn't especially strong."

Off hand, we don't know of any other product that does something like
that. So, we're assigning CVE-2014-3230 for the Least Surprise
violation.

There's a separate question of whether the "compatibility mode"
behavior has an implementation that matches its design. A second CVE
ID seems reasonably likely, but the issue itself is perhaps still
being analyzed.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579#44 says
"contrary to what the name of the option suggests, verify_hostname is
supposed to enable/disable both certificate verification and that the
certificate matches hostname. But after this patch applied, it will
affect only the latter."

At this point, it seems unlikely that there would be a third CVE for
whether the "compatibility mode" behavior actually should not exist.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTaUA9AAoJEKllVAevmvmsIToH/i48lQZKdtiRRKzz8rWeUcYF
HFw8ZmocshaCG2/ZyHiQv4j0w7jjBAuhOv4VDwZWR56WtRpGlcZYz7te7sglG6yM
h7LQACHsr/cv9EcDyolAsmigv7/zjRSmhhE/uGhf/up30tKO4ZoaVFFNQClihfAc
J3K23L8PhtxIVlp5eyHar6vndC53L1XwJn8lnvYXczSA9Y7q+3PAG4LF/oo4sWxz
ZxfwgbNTyaKhpppPUcudHSOz8fpZVaGdqrYEWkXj0DY8+TQTHPYfZuGw6shyHuUL
MTz/zRRdyBWjrMR9szq7XnJ3RzF63xjwyJGRhsQ1EquWwGcgR3GfCbYn4x43BNg=
=HQLw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.