Re: Certificate validation vulnerability in Git

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

On Mon, Feb 25, 2013 at 12:16 AM, Andreas Ericsson <ae@xxxxxx> wrote:
> On 02/24/2013 06:31 PM, Zubin Mithra wrote:
>> Hello,
>>
>> There seems to be a security issue in the way git uses openssl for
>> certificate validation. Similar occurrences have been found and
>> documented in other open source projects, the research can be found at
>> [1].
>>
>> -=========]
>> - imap-send.c
>>
>> Line 307
>>
>>   307   ret = SSL_connect(sock->ssl);
>>   308   if (ret <= 0) {
>>   309     socket_perror("SSL_connect", sock, ret);
>>   310     return -1;
>>   311   }
>>   312
>>
>> Certificate validation errors are signaled either through return
>> values of SSL_connect or by setting internal flags. The internal flags
>> need to be checked using the SSL_get_verify_result function. This is
>> not performed.
>>
>> Kindly fix these issues, file a CVE and credit it to Dhanesh K. and
>> Zubin Mithra. Thanks.
>>
>
> The lack of certificate authority verification presents no attack vector
> for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll
> be credited with a "reported-by" line in the commit message if someone
> decides to fix it though. Personally, I'm not fussed.

I'd like to add in a few points -- generally SSL/TLS would be used in
cases where the authenticity of the server and confidentiality of the
messages transferred would be required. In this particular case, the
threat scenarios would be :-

- Usage of an invalid attacker certificate could result in the
attacker gaining access to authentication information sent over the
wire.
- If the code repository were private, the patches thus generated are
also assumed to be kept private. An invalid certificate check at the
client side would enable an attacker to gain access to those patches.


Is there anything I'm missing? I believe this is a valid security issue.



Thanks,
Zubin


>
>> We are not subscribed to this list, so we'd appreciate it if you could
>> CC us in the replies.
>>
>
> That's standard on this list. Please follow the same convention if/when
> you reply. Thanks.
>
> --
> Andreas Ericsson                   andreas.ericsson@xxxxxx
> OP5 AB                             www.op5.se
> Tel: +46 8-230225                  Fax: +46 8-230231
>
> Considering the successes of the wars on alcohol, poverty, drugs and
> terror, I think we should give some serious thought to declaring war
> on peace.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]