duplicity should enable boto's certificate verification option (CVE-2014-3495)

Debian Bug report logs - #751902
duplicity should enable boto's certificate verification option (CVE-2014-3495)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: duplicity: CVE-2014-3495: improper verification of SSL certificates

Date: Tue, 17 Jun 2014 20:39:48 +0300

[Message part 1 (text/plain, inline)]

Package: duplicity
Version: 0.6.24-1
Severity: important
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=1109999

Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
handle wildcard certificates properly.  If Duplicity were to connect to a remote
host that used a wildcard certificate, and the hostname does not match the
wildcard, it would still consider the connection valid.

1: https://bugs.launchpad.net/duplicity/+bug/1314234

I have no access to that bug item, but I can contact upstream if needed.

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@telecom-sudparis.eu>

To: Henri Salo <henri@nerv.fi>, 751902@bugs.debian.org

Subject: Re: Bug#751902: duplicity: CVE-2014-3495: improper verification of SSL certificates

Date: Wed, 18 Jun 2014 21:31:14 +0200

Hi.

On Tue, Jun 17, 2014 at 08:39:48PM +0300, Henri Salo wrote:
> 
> Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not
> handle wildcard certificates properly.  If Duplicity were to connect to a remote
> host that used a wildcard certificate, and the hostname does not match the
> wildcard, it would still consider the connection valid.
> 
> 1: https://bugs.launchpad.net/duplicity/+bug/1314234
> 
> I have no access to that bug item, but I can contact upstream if needed.
> 

I tried to access the above URL, and nothing happens there. Is this an error or an embargoed ticket ?

It also seems that this CVE doesn't appear in launchpad's duplicity CVEs, but again, that may just be embargoed and masked without further notice ?

If you have more details, that may be useful.

Thanks in advance.

Best regards,

-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Message #17 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 751902@bugs.debian.org

Subject: update

Date: Thu, 19 Jun 2014 13:14:35 +0300

[Message part 1 (text/plain, inline)]

From Vincent Danen:

"""
Indeed it is.  I don't know why it still is.  We had communicated quite clearly
that we didn't want to sit on this forever and had a deadline that we missed
twice I think.  When this bug was filed public, I let them know so I'm not sure
why they've not opened it up yet."""

RedHat issue tracker has enough information to understand this security issue.
If you want I can contact upstream too.

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 751902@bugs.debian.org

Subject: update

Date: Thu, 19 Jun 2014 18:32:31 +0300

[Message part 1 (text/plain, inline)]

I contacted upstream. Reference URL is now open.

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@snafu.priv.at>

To: control@bugs.debian.org, 751902@bugs.debian.org

Subject: bug 751902

Date: Sat, 21 Jun 2014 09:41:06 +1000

[Message part 1 (text/plain, inline)]

retitle 751902 "duplicity should enable boto's certificate verification option"
severity 751902 normal
forwarded 751902 https://bugs.launchpad.net/duplicity/+bug/1314234
thanks

i'm downgrading this bug to normal severity, as the issue affects only one
(of about a dozen) different storage backends in duplicity (actually the only 
purely commercial backend).

regards
az


-- 
Alexander Zangerl + GPG Key 0xB963BD5F (or 0x42BD645D) + http://snafu.priv.at/
ISO Water Torture: ...ploughing through all sorts of ISO, ANSI, ITU, 
and IETF standards and other working documents, some of which are best 
understood when held upside-down in front of a mirror. -- Peter Gutmann

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Alexander Zangerl <az@snafu.priv.at>

Cc: 751902@bugs.debian.org

Subject: Re: bug 751902

Date: Mon, 9 Jan 2017 23:17:05 +0100

On Sat, Jun 21, 2014 at 09:41:06AM +1000, Alexander Zangerl wrote:
> retitle 751902 "duplicity should enable boto's certificate verification option"
> severity 751902 normal
> forwarded 751902 https://bugs.launchpad.net/duplicity/+bug/1314234
> thanks
> 
> i'm downgrading this bug to normal severity, as the issue affects only one
> (of about a dozen) different storage backends in duplicity (actually the only 
> purely commercial backend).

Given that this is unfixed upstream for years, let's exclude the backend from
the Debian binary package?

Cheers,
        Moritz

Message #45 received at 751902@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@snafu.priv.at>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 751902@bugs.debian.org

Subject: Re: bug 751902

Date: Sat, 14 Jan 2017 06:15:10 +1000

[Message part 1 (text/plain, inline)]

On Mon, 09 Jan 2017 23:17:05 +0100, Moritz Muehlenhoff writes:
>Given that this is unfixed upstream for years, let's exclude the backend from
>the Debian binary package?

no, i don't want to do that.

as of python-boto 2.6, certificate validation is auto-enabled. pity
that that's not in debian yet... http://docs.pythonboto.org/en/latest/releasenotes/v2.6.0.html (or is it 2.45? utter confusion seems to reign over there...)

having looked at this now it seems easy to simply hack
the 'mandatory not optional' part into the debian version.

regards
az



-- 
Alexander Zangerl + GPG Key 2FCCF66BB963BD5F + http://snafu.priv.at/
cc:Mail is a wonderful application, as long as you don't want to
read or send mail. -- Jan van den Broek

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 751902-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@snafu.priv.at>

To: 751902-done@bugs.debian.org

Subject: python-boto and certificates

Date: Thu, 26 Jan 2017 13:23:29 +1000

[Message part 1 (text/plain, inline)]

according to the release notes for boto 2.6.0
at http://docs.pythonboto.org/en/latest/releasenotes/v2.6.0.html
boto's default is now to enable certificate verification.
(before that version it was opt-in, which duplicity never got around to.)

given this and the versions of python-boto in stable and unstable
(2.34 and newer) there's nothing left to do for duplicity
and i'm therefore closing this bug.

regards
az


-- 
Alexander Zangerl + GPG Key 2FCCF66BB963BD5F + http://snafu.priv.at/
"If you think you can have a nice network with ms-windows machines on it, you
haven't run tcpdump yet."  -- Alan Rosenthal

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.