[Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it

Łukasz Zemczak 1879533 at bugs.launchpad.net
Thu Jun 4 10:41:22 UTC 2020 

Hello Dimitri, or anyone else affected,

Accepted busybox into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/busybox/1:1.30.1-4ubuntu6.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: busybox (Ubuntu Focal)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1879533

Title:
  busybox does not verify TLS connections with
  CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and
  doesn't warn either about it

Status in busybox package in Ubuntu:
  Fix Released
Status in busybox source package in Focal:
  Fix Committed
Status in busybox source package in Groovy:
  Fix Released

Bug description:
  [Impact]

   * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox
  applet using openssl

   * CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox
  applet using internal TLS code

   * CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is
  used, a message is printed to notify the users that TLS verification
  is not perfomed.

   * However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and
  CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed.

   * Also TLS verification is not performed under OPENSSL case.

   * When performing https requests, it works openssl s_client and communicates with it to perform https download
   * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored

   * There is no warning that TLS verification was not performed

  [Test Case]

   * Preparation: sudo apt install busybox; or build busybox with
  CONFIG_FEATURE_WGET_OPENSSL=y

   * Test case: /bin/busybox wget https://untrusted-root.badssl.com/

   * Expected: download failed, or download suceeds with warning printed
  that verification is disabled

   * Observed: download success without a warning that verification is
  disabled.

  $ /bin/busybox wget https://untrusted-root.badssl.com/
  Connecting to untrusted-root.badssl.com (104.154.89.105:443)
  index.html           100% |*************************************************************************************|   600  0:00:00 ETA

  $ cat index.html  | grep certificate
    The certificate for this site is signed using an untrusted root.

  [Regression Potential]

   * The fact that /bin/busybox wget https:// succeeds without TLS
  verification might be relied upon. If this issue is fixed, ensure that
  `--no-check-certificate` is honored.

  [Other Info]

   * Proposed fix

     pass `-verify_return_error` to s_client, unless `--no-check-
  certificate` is specified

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions

More information about the foundations-bugs mailing list