Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Aug 2013 10:31:07 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Marcus Meissner <meissner@...e.de>
CC: oss-security@...ts.openwall.com
Subject: Re: rubygems insecure download (and other problems)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/15/2013 02:37 AM, Marcus Meissner wrote:
> On Wed, Aug 14, 2013 at 05:02:36PM -0400, Donald Stufft wrote:
>> 
>> On Aug 14, 2013, at 4:59 PM, Kurt Seifried <kseifried@...hat.com>
>> wrote:
>> 
>>> Signed PGP part I don't think this is CVE worthy, but it is
>>> worth fixing and not putting everyone at such risk:
>>> 
>>> https://bugzilla.novell.com/show_bug.cgi?id=834785 
>>> https://bugzilla.redhat.com/show_bug.cgi?id=997179
>>> 
>>> Problem #1: install /etc/gemrc to install gems via https rather
>>> than http
>>> 
>>> everyone should be enabling HTTPS where possible, intercepting
>>> and modifying HTTP is trivial.
>>> 
>>> Problem #2: it redirects to  production.cf.rubygems.org which
>>> is on cloudfront so has certificate mismatch, so either users
>>> have to accept insecurity, or... well there is no second choice
>>> =(.
>>> 
>>> https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org
>>>
>>>
>>> 
- - --
>>> Kurt Seifried Red Hat Security Response Team (SRT) PGP:
>>> 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>> 
>> 
>> pip has a CVE for downloading via HTTP, does switching the gem to
>> HTTPS actually make gem verify it?
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
> 
> Some SSL certificate issues in Ruby were also fixed...
> 
> ... testing by pointing rubygems.org to another host with https
> gives:
> 
> $ gem install foo ERROR:  Could not find a valid gem 'foo' (>= 0)
> in any repository ERROR:  While executing gem ...
> (Gem::RemoteFetcher::FetchError) SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed
> (https://rubygems.org/latest_specs.4.8.gz) ...
> 
> I think a "package management" solution that installs software on a
> system should have good security measurements by default these
> days, and trivial man-in-the-middle attacks should not be
> possible.
> 
> So the implicit assumption "installing gems is secure" is violated
> here, which would require a CVE I think.
> 
> Ciao, Marcus
> 

Can someone generate a list of all the client software that pulls gems
insecurely from rubygems.org and post it here? thanks. I can't assign
CVE's to services, only to software.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSDQJKAAoJEBYNRVNeJnmTfgYQAMOtj1PiNc46aiuAoAVnAaKr
n9oH44SDMd/byjhfbSFuK+mRFlGgXynFSEdpu4dEZl8w5qQmTlHHdLlU7RIzVFfg
B8qOrr/KIYn50ftwlJI0Jik68o5bq3HamGi7B+E+cX53BYEz9zhI7jVP39WdnY0M
Dmoany+EiORK19ZPeg10dDVWfe5vwk0k/4i1h7xWp5rUThC6LmGcNpZCdEHgfZyA
auMOwZzneenav6HHMEa+Vh0N0uf9T1BeTHdVI4GHzepLxzSwuF5kgIu8Q3tXnGgU
6NEGfdv9KuA7Ivgz16jjUUiJEk/JdgbUaBECXUzdzdSDmSc6ow27IDbVLh0Yq0hW
FIyBz50q+0Wt+L7CsTZ8qfs3+Se0BSZt6XDkQwEA8x/wZPBfzIx59F8KGfZXu4sE
H895w4YdFlcY7bZEdEakd28aHZbKj2qD4/KlfmntXzs4HIMFO1CrLuJ8zaqX1ZTI
xRJZiX+Wur8f7Ftcx+ScjkRMC66PxGxIvqnFXKRxYlD+mPpm6zr0xfLw0buL5C4m
4ZUpy3xlWVfrS6wsaFoco9DALB0naaBVqwgXxMPqxi+cbt4u2+s+MjoZmNPTcitp
dj/GZQCruejr2iKkNfhUTfvSxlKEFPGxcBVx5nTjGcEGBsg1EOit1a4rsubt9V+z
In9YUH15QvITGMrbfkyl
=8leO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.