[Bug 1036839] Re: Quantal software-properties incorrectly validating ssl certs
Launchpad Bug Tracker
1036839 at bugs.launchpad.net
Wed Aug 15 17:24:12 UTC 2012
** Branch linked: lp:~mathieu-tl/software-properties/lp1036839
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1036839
Title:
Quantal software-properties incorrectly validating ssl certs
Status in “software-properties” package in Ubuntu:
In Progress
Bug description:
The python3 migration of software-properties causes it to incorrectly
validate ssl certificates, leading to a MITM being able to compromise
a remote system. It basically reverts the fix for LP: 915210.
from softwareproperties/ppa.py:
<snip>
# None means use the system default SSL store.
# Otherwise a path to a file is expected (as a bundle of certs)
LAUNCHPAD_PPA_CERT = None
<snip>
try:
lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
except TypeError:
lp_page = urllib2.urlopen(request)
When running under python2, urllib2 does _not_ do ssl certificate checking.
When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1036839/+subscriptions
More information about the foundations-bugs
mailing list