CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Debian Bug report logs - #672880
CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Mon, 14 May 2012 15:29:05 +0300

Package: libsoup2.4-1
Version: 2.30.2-1+squeeze1
Severity: important
Tags: security

References:
https://bugzilla.novell.com/show_bug.cgi?id=758431
https://bugzilla.redhat.com/show_bug.cgi?id=817692

This needs verification. Please ask if you need my help.

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libsoup2.4-1 depends on:
ii  libc6              2.11.3-3              Embedded GNU C Library: Shared lib
ii  libgcrypt11        1.4.5-2               LGPL Crypto library - runtime libr
ii  libglib2.0-0       2.24.2-1              The GLib library of C routines
ii  libgnutls26        2.8.6-1+squeeze2      the GNU TLS library - runtime libr
ii  libxml2            2.7.8.dfsg-2+squeeze3 GNOME XML library
ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime

libsoup2.4-1 recommends no packages.

libsoup2.4-1 suggests no packages.

-- no debconf information

Message #10 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 672880@bugs.debian.org

Subject: Re: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Thu, 6 Sep 2012 18:05:11 +0200

On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> Package: libsoup2.4-1
> Version: 2.30.2-1+squeeze1
> Severity: important
> Tags: security
> 
> References:
> https://bugzilla.novell.com/show_bug.cgi?id=758431
> https://bugzilla.redhat.com/show_bug.cgi?id=817692
> 
> This needs verification. Please ask if you need my help.

What's the status?

Cheers,
        Moritz

Message #15 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 672880@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: status

Date: Fri, 7 Sep 2012 07:41:39 +0300

No replies from package maintainer. Red Hat bugzilla has several patches:

patch against libsoup 2.32 for bug #817692: https://bugzilla.redhat.com/attachment.cgi?id=581443&action=diff
patch against libsoup 2.34 (F15) for bug #817692 https://bugzilla.redhat.com/attachment.cgi?id=581614&action=diff

Please list tasks for me if there is something I should do to get this issue fixed and closed.

- Henri Salo

Message #20 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 672880@bugs.debian.org

Subject: Re: Bug#672880: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Fri, 07 Sep 2012 13:47:54 +0200

Le jeudi 06 septembre 2012 à 18:05 +0200, Moritz Muehlenhoff a écrit : 
> On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> > Package: libsoup2.4-1
> > Version: 2.30.2-1+squeeze1
> > Severity: important
> > Tags: security
> > 
> > References:
> > https://bugzilla.novell.com/show_bug.cgi?id=758431
> > https://bugzilla.redhat.com/show_bug.cgi?id=817692
> > 
> > This needs verification. Please ask if you need my help.
> 
> What's the status?

Epiphany in squeeze is not affected.  It displays correctly the validity
status of a certificate, using the root authority in ca-certificates.

From the comments in the upstream report, Midori might be affected
though.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Message #25 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 672880@bugs.debian.org

Cc: Josselin Mouette <joss@debian.org>

Subject: Midori

Date: Sat, 8 Sep 2012 13:26:05 +0300

I think Midori is indeed affected as I went to site, which used self-signed HTTPS sertificate and Midori didn't say anything about it. If I am correct this needs new bug-report and update to security tracker. Please note a comment from bugzilla.redhat.com:

"""Dan Winship 2012-05-01 10:45:08 EDT
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsoup reports that all SSL certificates are trusted, just like Midori asked.

To the extent that this is libsoup's fault, it's because it supports the feature Midori is trying to implement here, but doesn't document how to do it correctly. But it is *possible* to do it correctly, as seen in epiphany.

The SUSE patch is just wrong, as I'm sure they will notice shortly... (eg, it will completely break https in evolution)."""

I tested using midori 0.2.4-3 (squeeze).

- Henri Salo

Message #30 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 672880@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#672880: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Tue, 9 Oct 2012 23:30:58 +0200

reassign 672880 midori
severity 672880 normal
thanks

On Fri, Sep 07, 2012 at 01:47:54PM +0200, Josselin Mouette wrote:
> Le jeudi 06 septembre 2012 à 18:05 +0200, Moritz Muehlenhoff a écrit : 
> > On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote:
> > > Package: libsoup2.4-1
> > > Version: 2.30.2-1+squeeze1
> > > Severity: important
> > > Tags: security
> > > 
> > > References:
> > > https://bugzilla.novell.com/show_bug.cgi?id=758431
> > > https://bugzilla.redhat.com/show_bug.cgi?id=817692
> > > 
> > > This needs verification. Please ask if you need my help.
> > 
> > What's the status?
> 
> Epiphany in squeeze is not affected.  It displays correctly the validity
> status of a certificate, using the root authority in ca-certificates.
> 
> From the comments in the upstream report, Midori might be affected
> though.

I agree this is rather a bug in Midori than in libsoup. Reassigning.

I'm lowering the severity since Midori isn't covered by security support
anyway (being webkit-based).

Cheers,
        Moritz

Message #41 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 672880@bugs.debian.org, Henri Salo <henri@nerv.fi>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, ryan@debian.org, pkg-gnome-maintainers@lists.alioth.debian.org

Subject: Re: Processed: Re: Bug#672880: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Wed, 10 Oct 2012 08:13:15 +0200

[Message part 1 (text/plain, inline)]

Control: forcemerge 607497 -1
thanks

On mar., 2012-10-09 at 21:36 +0000, Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:
> 
> > reassign 672880 midori
> Bug #672880 [libsoup2.4-1] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Bug reassigned from package 'libsoup2.4-1' to 'midori'.
> No longer marked as found in versions libsoup2.4/2.30.2-1+squeeze1.
> Ignoring request to alter fixed versions of bug #672880 to the same values previously set
> > severity 672880 normal
> Bug #672880 [midori] CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
> Severity set to 'normal' from 'important'
> > thanks
> Stopping processing here.
> 
> Please contact me if you need assistance.

(when reassigning, please provide a bit of context…)

Actually the same kind of question was already raised (see #607497) and
already assigned a CVE (CVE-2010-3900).

Henri, did you actually check? Because, here, loading an https website
with a CA not recognized correctly turns the url bar to red. 

The version in git is a bit more aggressive, it won't even load the
website if it can't validate the certificate. It's a bit rude against
people using self-signed certificates (which are a perfectly valid
usage) but there's not much options right now.

Obviously, it's not targeted to Wheezy (nor for sid either, for that
matters, because of ftp-masters position on waf)

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #58 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: Yves-Alexis Perez <corsac@debian.org>, 672880@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, ryan@debian.org, pkg-gnome-maintainers@lists.alioth.debian.org

Subject: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Wed, 10 Oct 2012 09:23:11 +0300

On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> Henri, did you actually check? Because, here, loading an https website
> with a CA not recognized correctly turns the url bar to red. 

Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25

I can test other packages as well if needed.

- Henri Salo

Message #63 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Henri Salo <henri@nerv.fi>

Cc: 672880@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, ryan@debian.org, pkg-gnome-maintainers@lists.alioth.debian.org

Subject: Re: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Wed, 10 Oct 2012 16:20:34 +0200

[Message part 1 (text/plain, inline)]

On mer., 2012-10-10 at 09:23 +0300, Henri Salo wrote:
> On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> > Henri, did you actually check? Because, here, loading an https website
> > with a CA not recognized correctly turns the url bar to red. 
> 
> Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25
> 

Well, in  Squeeze, the same thing applies than for CVE-2010-3900.
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #68 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Henri Salo <henri@nerv.fi>

Cc: 672880@bugs.debian.org, ryan@debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Wed, 10 Oct 2012 16:48:13 +0200

[Message part 1 (text/plain, inline)]

On mer., 2012-10-10 at 17:28 +0300, Henri Salo wrote:
> On Wed, Oct 10, 2012 at 04:20:34PM +0200, Yves-Alexis Perez wrote:
> > On mer., 2012-10-10 at 09:23 +0300, Henri Salo wrote:
> > > On Wed, Oct 10, 2012 at 08:13:15AM +0200, Yves-Alexis Perez wrote:
> > > > Henri, did you actually check? Because, here, loading an https website
> > > > with a CA not recognized correctly turns the url bar to red. 
> > > 
> > > Yes I tested Midori package in squeeze: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672880#25
> > > 
> > 
> > Well, in  Squeeze, the same thing applies than for CVE-2010-3900.
> > -- 
> > Yves-Alexis
> 
> Hello,
> 
> Sorry I am not sure I get your point in here. So you are saying that
> there is duplicate CVE assigned? Do you want me to ask the newer CVE to
> be rejected?

I'm unsure, but as far as I understand it, it's not the same code
involved. CVE-2010-3900 is fixed in recent midori, while CVE-2012-2132
is not.

For Debian, Squeeze is vulnerable to CVE-2010-3900 but I'm not sure it's
vulnerable to CVE-2012-2132 since it's not the same mechanism used, or
something. 

For Sid, CVE-2010-3900 is fixed, CVE-2012-2132 is not and won't be as
long as the waf situation is not solved, one way or another.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #73 received at 672880@bugs.debian.org (full text, mbox, reply):

From: Michal Suchanek <michal.suchanek@ruk.cuni.cz>

To: Debian Bug Tracking System <672880@bugs.debian.org>

Subject: Re: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid

Date: Fri, 14 Dec 2012 18:16:49 +0100

Package: midori
Version: 0.4.3-1
Followup-For: Bug #672880

Hello,

how come this bug is not marked grave as per 'introduces a security hole
allowing access to the accounts of users who use the package' ?

It is nice to have choice of software in Debian but when the software
has security hole then it should be

a) fixed
b) removed from the archive

Especially sice we are nearing a realease and there is not fix in sight
b) is applicable.

Thanks

Michal

Message #80 received at 607497-done@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: 632844-done@bugs.debian.org, 586271-done@bugs.debian.org, 507399-done@bugs.debian.org, 577072-done@bugs.debian.org, 579536-done@bugs.debian.org, 580646-done@bugs.debian.org, 580956-done@bugs.debian.org, 581882-done@bugs.debian.org, 586054-done@bugs.debian.org, 588772-done@bugs.debian.org, 592412-done@bugs.debian.org, 593332-done@bugs.debian.org, 595250-done@bugs.debian.org, 597304-done@bugs.debian.org, 610593-done@bugs.debian.org, 615128-done@bugs.debian.org, 615521-done@bugs.debian.org, 616056-done@bugs.debian.org, 616192-done@bugs.debian.org, 618313-done@bugs.debian.org, 627760-done@bugs.debian.org, 631812-done@bugs.debian.org, 636092-done@bugs.debian.org, 645653-done@bugs.debian.org, 645889-done@bugs.debian.org, 646362-done@bugs.debian.org, 670581-done@bugs.debian.org, 673053-done@bugs.debian.org, 679015-done@bugs.debian.org, 697592-done@bugs.debian.org, 700916-done@bugs.debian.org, 718431-done@bugs.debian.org, 633644-done@bugs.debian.org, 725622-done@bugs.debian.org, 611398-done@bugs.debian.org, 627811-done@bugs.debian.org, 248437-done@bugs.debian.org, 273816-done@bugs.debian.org, 377494-done@bugs.debian.org, 577027-done@bugs.debian.org, 577930-done@bugs.debian.org, 579186-done@bugs.debian.org, 579295-done@bugs.debian.org, 580258-done@bugs.debian.org, 580849-done@bugs.debian.org, 581595-done@bugs.debian.org, 581786-done@bugs.debian.org, 582292-done@bugs.debian.org, 583823-done@bugs.debian.org, 584246-done@bugs.debian.org, 584539-done@bugs.debian.org, 584577-done@bugs.debian.org, 584668-done@bugs.debian.org, 585721-done@bugs.debian.org, 586049-done@bugs.debian.org, 586283-done@bugs.debian.org, 586661-done@bugs.debian.org, 590283-done@bugs.debian.org, 593379-done@bugs.debian.org, 597383-done@bugs.debian.org, 597457-done@bugs.debian.org, 598521-done@bugs.debian.org, 599205-done@bugs.debian.org, 602927-done@bugs.debian.org, 603123-done@bugs.debian.org, 604156-done@bugs.debian.org, 605010-done@bugs.debian.org, 607718-done@bugs.debian.org, 610740-done@bugs.debian.org, 611218-done@bugs.debian.org, 611244-done@bugs.debian.org, 611313-done@bugs.debian.org, 613206-done@bugs.debian.org, 613627-done@bugs.debian.org, 614767-done@bugs.debian.org, 616719-done@bugs.debian.org, 617519-done@bugs.debian.org, 621094-done@bugs.debian.org, 633095-done@bugs.debian.org, 633159-done@bugs.debian.org, 636916-done@bugs.debian.org, 638410-done@bugs.debian.org, 640844-done@bugs.debian.org, 641029-done@bugs.debian.org, 642997-done@bugs.debian.org, 645092-done@bugs.debian.org, 645093-done@bugs.debian.org, 650392-done@bugs.debian.org, 650490-done@bugs.debian.org, 651751-done@bugs.debian.org, 653242-done@bugs.debian.org, 655493-done@bugs.debian.org, 658214-done@bugs.debian.org, 665205-done@bugs.debian.org, 665481-done@bugs.debian.org, 666403-done@bugs.debian.org, 687149-done@bugs.debian.org, 699600-done@bugs.debian.org, 767203-done@bugs.debian.org, 503915-done@bugs.debian.org, 594545-done@bugs.debian.org, 599129-done@bugs.debian.org, 646534-done@bugs.debian.org, 660197-done@bugs.debian.org, 583873-done@bugs.debian.org, 585008-done@bugs.debian.org, 631186-done@bugs.debian.org, 663920-done@bugs.debian.org, 698485-done@bugs.debian.org, 674894-done@bugs.debian.org, 581982-done@bugs.debian.org, 582269-done@bugs.debian.org, 583877-done@bugs.debian.org, 598567-done@bugs.debian.org, 614863-done@bugs.debian.org, 645757-done@bugs.debian.org, 646509-done@bugs.debian.org, 646583-done@bugs.debian.org, 698964-done@bugs.debian.org, 680276-done@bugs.debian.org, 596792-done@bugs.debian.org, 561359-done@bugs.debian.org, 575412-done@bugs.debian.org, 578868-done@bugs.debian.org, 579591-done@bugs.debian.org, 585049-done@bugs.debian.org, 596879-done@bugs.debian.org, 596947-done@bugs.debian.org, 599533-done@bugs.debian.org, 605400-done@bugs.debian.org, 613926-done@bugs.debian.org, 630380-done@bugs.debian.org, 668034-done@bugs.debian.org, 675371-done@bugs.debian.org, 700578-done@bugs.debian.org, 489441-done@bugs.debian.org, 580126-done@bugs.debian.org, 587502-done@bugs.debian.org, 607497-done@bugs.debian.org, 620907-done@bugs.debian.org, 630888-done@bugs.debian.org, 648811-done@bugs.debian.org, 594885-done@bugs.debian.org, 598760-done@bugs.debian.org, 657483-done@bugs.debian.org, 680393-done@bugs.debian.org

Subject: Closing squeeze-only bugs

Date: Mon, 27 Feb 2017 21:34:36 +0200

Dear submitter,

these bug are tagged squeeze without any wheezy/jessie/stretch tag
implying that the bug is not present in more recent Debian releases.

squeeze is no longer supported.

We are sorry that we couldn't deal with your issue in squeeze.

If this bug was incorrectly tagged squeeze, please reopen the bug
and remove the squeeze tag.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Send a report that this bug log contains spam.