On 02/24/2013 06:31 PM, Zubin Mithra wrote:
> Hello,
>
> There seems to be a security issue in the way git uses openssl for
> certificate validation. Similar occurrences have been found and
> documented in other open source projects, the research can be found at
> [1].
>
> -=========]
> - imap-send.c
>
> Line 307
>
> 307 ret = SSL_connect(sock->ssl);
> 308 if (ret <= 0) {
> 309 socket_perror("SSL_connect", sock, ret);
> 310 return -1;
> 311 }
> 312
>
> Certificate validation errors are signaled either through return
> values of SSL_connect or by setting internal flags. The internal flags
> need to be checked using the SSL_get_verify_result function. This is
> not performed.
>
> Kindly fix these issues, file a CVE and credit it to Dhanesh K. and
> Zubin Mithra. Thanks.
>
The lack of certificate authority verification presents no attack vector
for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll
be credited with a "reported-by" line in the commit message if someone
decides to fix it though. Personally, I'm not fussed.
> We are not subscribed to this list, so we'd appreciate it if you could
> CC us in the replies.
>
That's standard on this list. Please follow the same convention if/when
you reply. Thanks.
--
Andreas Ericsson andreas.ericsson@xxxxxx
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html