Debian Bug report logs - #510417
links2: silently accepts bad SSL certificates

version graph

Package: links2; Maintainer for links2 is Axel Beckert <abe@debian.org>; Source for links2 is src:links2.

Reported by: Neil Moore <neil@s-z.org>

Date: Thu, 1 Jan 2009 17:00:01 UTC

Severity: grave

Tags: patch, security

Found in versions links2/2.2-1, links2/2.1pre26-4

Fixed in version links2/2.3~pre1-1

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#510417; Package links2. (Thu, 01 Jan 2009 17:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Moore <neil@s-z.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Gürkan Sengün <gurkan@phys.ethz.ch>. (Thu, 01 Jan 2009 17:00:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Neil Moore <neil@s-z.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: links2: silently accepts bad SSL certificates
Date: Thu, 01 Jan 2009 11:57:35 -0500
Package: links2
Version: 2.2-1
Severity: grave
Tags: security
Justification: user security hole


Links2 does not validate certificates it receives; as a result, there is
no warning that one is visiting a page with an expired certificate, a
certificate not signed by a trusted authority, or a certificate for the
wrong hostname.  As a result, an attacker capable of intercepting one's
packets can launch a man-in-the-middle attack to obtain account numbers,
passwords, etc.

At the very least, the documentation should prominently warn that
links2's HTTPS support is not to be relied upon for sensitive
information.

This is the same issue reported in bug 510348 for the (unrelated) browser
'dillo'.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages links2 depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libdirectfb-1.0-0      1.0.1-11          direct frame buffer graphics - sha
ii  libgpm2                1.20.4-3.1        General Purpose Mouse - shared lib
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
ii  libsvga1               1:1.4.3-27        console SVGA display libraries
ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) libra
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

links2 recommends no packages.

links2 suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#510417; Package links2. (Wed, 25 Mar 2009 13:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to 510417@bugs.debian.org, Adeodato Simó <dato@net.com.org.es>:
Extra info received and forwarded to list. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>. (Wed, 25 Mar 2009 13:48:02 GMT) Full text and rfc822 format available.

Message #10 received at 510417@bugs.debian.org (full text, mbox):

From: Adeodato Simó <dato@net.com.org.es>
To: Neil Moore <neil@s-z.org>, 510417@bugs.debian.org
Subject: Re: Bug#510417: links2: silently accepts bad SSL certificates
Date: Wed, 25 Mar 2009 14:45:48 +0100
* Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]:

> Package: links2
> Version: 2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole

Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since
I’m not the maintainer of links2.

I do release management in Debian, and I’m interested in knowing whether
this bug affects 2.1pre37-1.1, which is currently in stable (and testing).
Do you know if that is the case? Could you perhaps check?

Thanks,

> Links2 does not validate certificates it receives; as a result, there is
> no warning that one is visiting a page with an expired certificate, a
> certificate not signed by a trusted authority, or a certificate for the
> wrong hostname.  As a result, an attacker capable of intercepting one's
> packets can launch a man-in-the-middle attack to obtain account numbers,
> passwords, etc.

> At the very least, the documentation should prominently warn that
> links2's HTTPS support is not to be relied upon for sensitive
> information.

> This is the same issue reported in bug 510348 for the (unrelated) browser
> 'dillo'.

> -- System Information:
> Debian Release: 5.0
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)

> Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash

> Versions of packages links2 depends on:
> ii  libc6                  2.7-16            GNU C Library: Shared libraries
> ii  libdirectfb-1.0-0      1.0.1-11          direct frame buffer graphics - sha
> ii  libgpm2                1.20.4-3.1        General Purpose Mouse - shared lib
> ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
> ii  libpng12-0             1.2.27-2          PNG library - runtime
> ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
> ii  libsvga1               1:1.4.3-27        console SVGA display libraries
> ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) libra
> ii  libx11-6               2:1.1.5-2         X11 client-side library
> ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

> links2 recommends no packages.

> links2 suggests no packages.

> -- no debconf information




-- 
- Are you sure we're good?
- Always.
        -- Rory and Lorelai





Information forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#510417; Package links2. (Wed, 25 Mar 2009 14:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Neil Moore <neil@s-z.org>:
Extra info received and forwarded to list. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>. (Wed, 25 Mar 2009 14:45:03 GMT) Full text and rfc822 format available.

Message #15 received at 510417@bugs.debian.org (full text, mbox):

From: Neil Moore <neil@s-z.org>
To: 510417@bugs.debian.org, Adeodato Simó <dato@net.com.org.es>
Cc: Neil Moore <neil@s-z.org>
Subject: Re: Bug#510417: links2: silently accepts bad SSL certificates
Date: Wed, 25 Mar 2009 10:42:50 -0400
Adeodato Simó writes:
> * Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]:
> 
> > Package: links2
> > Version: 2.2-1
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> 
> Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since
> I’m not the maintainer of links2.
> 
> I do release management in Debian, and I’m interested in knowing whether
> this bug affects 2.1pre37-1.1, which is currently in stable (and testing).
> Do you know if that is the case? Could you perhaps check?

The bug is present in 2.1pre37-1.1, as well as in 2.1pre26-4 (the
version in oldstable).

The site I am using to test is internal, and will soon have a real
certificate, hence my reluctance to post its URL.  One can test for at
least part of the problem with:

  https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

(the URL from the dillo bug #510348).  This site has an
(intentionally) expired certificate, and is signed with a fake
(collided) MD5-hashed CA cert, though it does have a correct hostname.
Depending on the version of OpenSSL and the CA certs list, it should
report either an expired cert or a bad signature.

Hope this helps,
-- 
Neil Moore, neil@s-z.org, http://s-z.org/neil/




Bug marked as found in version 2.1pre26-4. Request was from Adeodato Simó <dato@net.com.org.es> to control@bugs.debian.org. (Wed, 25 Mar 2009 21:54:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#510417; Package links2. (Tue, 30 Jun 2009 06:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to gurkan <gurkan@phys.ethz.ch>:
Extra info received and forwarded to list. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>. (Tue, 30 Jun 2009 06:33:02 GMT) Full text and rfc822 format available.

Message #22 received at 510417@bugs.debian.org (full text, mbox):

From: gurkan <gurkan@phys.ethz.ch>
To: <510417@bugs.debian.org>
Subject: links2: silently accepts bad SSL certificates
Date: Tue, 30 Jun 2009 08:30:07 +0200
Hello

It's true that links doesn't visually noticed the user in such case. I see
the following solutions:

1 Disable https support

2 Notify the user about this behaviour in README.Debian

3 Somehow notify the user (I think I talked to Karel about this problem,
when I got the report
but he didn't give any signs to get this fixed). So if nobody sends a
patch, it won't get fixed

Yours
Guerkan




Information forwarded to debian-bugs-dist@lists.debian.org, Gürkan Sengün <gurkan@phys.ethz.ch>:
Bug#510417; Package links2. (Wed, 31 Mar 2010 09:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to debian@gisladisker.se:
Extra info received and forwarded to list. Copy sent to Gürkan Sengün <gurkan@phys.ethz.ch>. (Wed, 31 Mar 2010 09:57:04 GMT) Full text and rfc822 format available.

Message #27 received at 510417@bugs.debian.org (full text, mbox):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>
To: 510417@bugs.debian.org
Subject: links2 -- One possible HTTPS verification procedure
Date: Wed, 31 Mar 2010 11:43:01 +0200
[Message part 1 (text/plain, inline)]
The attached patch will abort HTTPS connections that do
not verify properly. It is thus not the final answer to
this bug, but it is a starting point.

The code eliminates use of SSLv2 from the allowed exchange
protocols, and it makes a verification exception for self
signed certificates (it would be very mean on the common user
to prevent him from using self signed certificates on his
private servers).

You would better make contact with the security team before
consider applying a patch like this (links2 is drowning in
compiler warnings, by the way) as it drastically changes the
behaviour of Links2 the average user will experience.

I have tested this against official sites, as well as other
with self signed or outdated certificates. The first two pass,
and the last case leads to rejection.

-- 
Mats Erik Andersson, fil. dr
[links2_better_verification.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Thu, 08 Jul 2010 14:39:06 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Thu, 08 Jul 2010 16:57:04 GMT) Full text and rfc822 format available.

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Fri, 09 Jul 2010 15:36:04 GMT) Full text and rfc822 format available.

Notification sent to Neil Moore <neil@s-z.org>:
Bug acknowledged by developer. (Fri, 09 Jul 2010 15:36:04 GMT) Full text and rfc822 format available.

Message #36 received at 510417-close@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@debian.org>
To: 510417-close@bugs.debian.org
Subject: Bug#510417: fixed in links2 2.3~pre1-1
Date: Fri, 09 Jul 2010 15:32:09 +0000
Source: links2
Source-Version: 2.3~pre1-1

We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive:

links2_2.3~pre1-1.debian.tar.gz
  to main/l/links2/links2_2.3~pre1-1.debian.tar.gz
links2_2.3~pre1-1.dsc
  to main/l/links2/links2_2.3~pre1-1.dsc
links2_2.3~pre1-1_i386.deb
  to main/l/links2/links2_2.3~pre1-1_i386.deb
links2_2.3~pre1.orig.tar.gz
  to main/l/links2/links2_2.3~pre1.orig.tar.gz
links_2.3~pre1-1_i386.deb
  to main/l/links2/links_2.3~pre1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510417@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated links2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Jul 2010 17:08:56 +0200
Source: links2
Binary: links2 links
Architecture: source i386
Version: 2.3~pre1-1
Distribution: unstable
Urgency: low
Maintainer: Gürkan Sengün <gurkan@phys.ethz.ch>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 links      - Web browser running in text mode
 links2     - Web browser running in both graphics and text mode
Closes: 510417 544289 556118
Changes: 
 links2 (2.3~pre1-1) unstable; urgency=low
 .
   [Gürkan Sengün]
   * New upstream version.
     + Supports UTF-8 (Closes: #544289)
   * debian/rules: drop dh_desktop call.
   * Bump debhelper version to 7.
   * Added debian/watch file.
 .
   [Axel Beckert]
   * Added myself to Uploaders
   * Bumped Standards-Version to 3.9.0 (no changes)
   * Move to Source Format "3.0 (quilt)"
   * Apply patch by Mats Erik Andersson <mats.andersson@gisladisker.se>
     abort if an SSL certificate doesn't validate and update it to fit to
     2.3pre1 sources. (Closes: #510417)
   * Added appropriate prerm and postinst scripts for links, too
     (Closes: #556118, LP: #443391)
Checksums-Sha1: 
 e01e41d9a8727dd86cb818250412e2817eeb40cf 1343 links2_2.3~pre1-1.dsc
 90e9674bca07d17c1836c8b6e7a20399d7d12ceb 4195393 links2_2.3~pre1.orig.tar.gz
 e88cc9a0d4e4bf019079d995f0a3092f5e2f40e2 36065 links2_2.3~pre1-1.debian.tar.gz
 8745a8355abaa9751039f1886da3b6a71adc9085 2002976 links2_2.3~pre1-1_i386.deb
 cd79e568844c921f1dcf54cf1dcbebe47fe26179 512384 links_2.3~pre1-1_i386.deb
Checksums-Sha256: 
 09a074ab906b7629052a588d83328cc702285bcac195e69cc91a79a62d7e40fd 1343 links2_2.3~pre1-1.dsc
 c3a08640c29e0db3ed7209a10201f5bccfc4e0b0e2abcaaeef1b3faa068e8389 4195393 links2_2.3~pre1.orig.tar.gz
 ccc61a982aad78a0510f0576e03390c246cca5a4a7c3bc19060a2489e8adaa07 36065 links2_2.3~pre1-1.debian.tar.gz
 f18f24a1790ded98438b956eff632d3379c9a24b9bee5cab4c681fe0c8320fbd 2002976 links2_2.3~pre1-1_i386.deb
 7bfc60da5ff70677b0809cfe53970bd8582260e2f1d699ee8e3c82005471c2bf 512384 links_2.3~pre1-1_i386.deb
Files: 
 9e6fba6688d1842711b480f927f42a84 1343 web optional links2_2.3~pre1-1.dsc
 31218f291a1e31069c070a9f2fd5aa42 4195393 web optional links2_2.3~pre1.orig.tar.gz
 c5a14f2baed6cfc3002cc5ebafb3d463 36065 web optional links2_2.3~pre1-1.debian.tar.gz
 3213a6c1407afdbdb3228a42c77f46b7 2002976 web optional links2_2.3~pre1-1_i386.deb
 aba87ed2bd01c0c250c3a4012b8764db 512384 web optional links_2.3~pre1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkw3PZEACgkQwJ4diZWTDt7CHgCdFG9Omxh8PmQJDWf1lxmlWlDh
0AkAnimjZNQVmPa5NA1dniSJDzwqvAj5
=gbta
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:06:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:16:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.