ubuntu-sso-client doesn't validate ssl certificates

Bug #882055 reported by Marc Deslauriers
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu One Client
Invalid
Undecided
Unassigned
Ubuntu Single Sign On Client
Status tracked in Trunk
Stable-1-2
Fix Released
High
Alejandro J. Cura
Stable-1-4
Fix Released
High
Alejandro J. Cura
Stable-3-0
Fix Released
Undecided
Unassigned
Stable-4-0
Fix Released
Undecided
Unassigned
Trunk
Fix Released
Undecided
Unassigned
ubuntu-sso-client (Ubuntu)
Fix Released
Medium
Unassigned
Maverick
Won't Fix
Medium
Marc Deslauriers
Natty
Fix Released
Medium
Marc Deslauriers
Oneiric
Fix Released
Medium
Marc Deslauriers
Precise
Fix Released
Medium
Unassigned

Bug Description

ubuntu-sso-client uses urllib2 to perform certain operations on https web sites. urllib2 does not do any certificate validation, and should only be used if certificate validation is being done by the application itself.

This results in a trivial man in the middle attack that can obtain or alter sensitive information.

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

in the ubuntu_sso/gtk/gui.py file, it also uses webkit without setting the "ssl-strict" and "ssl-ca-file" properties, so it's not doing certificate checking in the webkit parts either.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This bug is embargoed and _must_ remain private until the security team sets a unembargo date. Please do not comment publically, or check code into public software repositories until then.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here is an example script that shows how to do certificate validation with urllib2.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here is a webkit example for oneiric+

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here is a webkit example for natty and older

Changed in ubuntuone-client:
status: New → Invalid
Revision history for this message
Natalia Bidart (nataliabidart) wrote :
Changed in ubuntu-sso-client (Ubuntu):
status: New → Confirmed
Revision history for this message
Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntu-sso-client/stable-1-4 that adds a module with the same api that urllib2, but using pycurl and validating the SSL certificates.

Revision history for this message
Alejandro J. Cura (alecu) wrote :
Revision history for this message
Alejandro J. Cura (alecu) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the patches, I'll work on security updates for this. Do not commit publically until the security updates have been published. Thanks!

Changed in ubuntu-sso-client (Ubuntu Maverick):
status: New → Confirmed
Changed in ubuntu-sso-client (Ubuntu Natty):
status: New → Confirmed
Changed in ubuntu-sso-client (Ubuntu Oneiric):
status: New → Confirmed
Changed in ubuntu-sso-client (Ubuntu Maverick):
importance: Undecided → Medium
Changed in ubuntu-sso-client (Ubuntu Natty):
importance: Undecided → Medium
Changed in ubuntu-sso-client (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in ubuntu-sso-client (Ubuntu Precise):
importance: Undecided → Medium
Changed in ubuntu-sso-client (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntu-sso-client (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntu-sso-client (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-4408

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ubuntu-sso-client (Ubuntu Maverick):
status: Confirmed → Won't Fix
Changed in ubuntu-sso-client (Ubuntu Precise):
status: Confirmed → Invalid
status: Invalid → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-sso-client - 1.4.1-0ubuntu1.1

---------------
ubuntu-sso-client (1.4.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882055)
    - debian/patches/CVE-2011-4408.patch: use pycurl instead of urllib2 in
      ubuntu_sso/account.py,
      ubuntu_sso/credentials.py,
      ubuntu_sso/tests/test_credentials.py,
      ubuntu_sso/utils/curllib.py,
      ubuntu_sso/utils/tests/test_curllib.py.
    - debian/control: add python-pycurl dependency.
    - CVE-2011-4408
 -- Marc Deslauriers <email address hidden> Fri, 25 May 2012 10:32:37 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-sso-client - 1.2.1-0ubuntu2.1

---------------
ubuntu-sso-client (1.2.1-0ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882055)
    - debian/patches/CVE-2011-4408.patch: use pycurl instead of urllib2 in
      ubuntu_sso/account.py,
      ubuntu_sso/credentials.py,
      ubuntu_sso/tests/test_credentials.py,
      ubuntu_sso/utils/curllib.py,
      ubuntu_sso/utils/tests/test_curllib.py.
    - debian/control: add python-pycurl dependency.
    - CVE-2011-4408
 -- Marc Deslauriers <email address hidden> Tue, 31 Jan 2012 14:01:31 -0500

Changed in ubuntu-sso-client (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in ubuntu-sso-client (Ubuntu Oneiric):
status: Confirmed → Fix Released
visibility: private → public
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-sso-client - 3.99.0-0ubuntu1

---------------
ubuntu-sso-client (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Remove some code duplication in web client. (LP: #904842)
    - Handle starting with the -testsability argument. (LP: #984964)
    - Log more details for SSL validation failure. (LP: #987405)
    - Use the new dev-tools API in tests. (LP: #988809)
    - Use the network detection page before signup/login. (LP: #996025)
    - Fix size of password assistance label in reset dialog. (LP: #999885)
    - ubuntu-sso-login-qt crashed with TypeError in got_state. (LP: #1003692)
  * debian/control:
    - Update dependencies to allow running unit tests during build.
  * debian/patches:
    - Remove upstreamed patches.
  * debian/patches/00_bug711413.patch:
    - Trap DBusException when connecting to session bus. (LP: #711413)
  * debian/patches/01_bug882055.patch:
    - Tell libsoup to use strict ssl with system ca certs. (LP: #882055)
  * debian/rules:
    - Enable unit tests during build.
  * debian/watch:
    - Update to use stable-4-0 series for Quantal.
 -- Rodney Dawes <email address hidden> Fri, 15 Jun 2012 16:52:27 -0400

Changed in ubuntu-sso-client (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Marc, or anyone else affected,

Accepted ubuntu-sso-client into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubuntu-sso-client/3.0.2-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
dobey (dobey)
tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.