[Bug 1036839] Re: Quantal software-properties incorrectly validating ssl certs

Launchpad Bug Tracker 1036839 at bugs.launchpad.net
Mon Aug 27 08:00:14 UTC 2012 

This bug was fixed in the package software-properties - 0.92

---------------
software-properties (0.92) quantal; urgency=low

  [ Robert Roth ]
  * lp:~evfool/software-properties/lp1030970 :
    - Fixed the source code checkbox and the submit statistics
      checkbox labels to be left-aligned instead of centered.
  * lp:~evfool/software-properties/lp997371:
    - support enabling a component via "apt-add-repository componentname"
      (e.g. "apt-add-repository multiverse") LP: #997371

  [ Mathieu Trudel-Lapierre ]
  * Reinstate pycurl to use for getting PPA information from Launchpad, since
    it can actually verify SSL certificates with python2. Also set
    LAUNCHPAD_PPA_CERT so that it's a valid path to the system CA certificates
    bundle to use for urllib and pycurl. (LP: #1036839)
    - CVE-2012-0955

  [ Gabor Kelemen ]
  * lp:~kelemeng/software-properties/bug1035544:
    - fix a bunch of missing i18n strings (LP: #1035544)

  [ Michael Vogt ]
  * lp:~mvo/software-properties/remove-popcon:
    - remove the "statistics" page as this is no longer used
      (LP: #1025436)
 -- Michael Vogt <michael.vogt at ubuntu.com>   Mon, 27 Aug 2012 09:56:47 +0200

** Changed in: software-properties (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1036839

Title:
  Quantal software-properties incorrectly validating ssl certs

Status in “software-properties” package in Ubuntu:
  Fix Released

Bug description:
  The python3 migration of software-properties causes it to incorrectly
  validate ssl certificates, leading to a MITM being able to compromise
  a remote system. It basically reverts the fix for LP: 915210.

  from softwareproperties/ppa.py:

  <snip>
  # None means use the system default SSL store.
  # Otherwise a path to a file is expected (as a bundle of certs)
  LAUNCHPAD_PPA_CERT = None
  <snip>
      try:
          lp_page = urllib2.urlopen(request, cafile=LAUNCHPAD_PPA_CERT)
      except TypeError:
          lp_page = urllib2.urlopen(request)

  When running under python2, urllib2 does _not_ do ssl certificate checking.
  When running under python3, urllib.request _does_ do ssl certificate checking, but only if the cafile points to a valid certificate bundle. Contrary to the comment in the code, setting it to None means it's not checking ssl certificates _at all_.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1036839/+subscriptions

More information about the foundations-bugs mailing list