Debian Bug report logs - #511261
CVE-2008-0049: Inproper certificate validation

version graph

Package: belpic; Maintainer for belpic is (unknown);

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 8 Jan 2009 21:33:01 UTC

Severity: grave

Tags: security

Found in version 2.5.9-7

Fixed in version 2.6.0-6

Done: Wouter Verhelst <wouter@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Wouter Verhelst <wouter@debian.org>:
Bug#511261; Package belpic. (Thu, 08 Jan 2009 21:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Wouter Verhelst <wouter@debian.org>. (Thu, 08 Jan 2009 21:33:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-0049: Inproper certificate validation
Date: Thu, 08 Jan 2009 22:30:14 +0100
Package: belpic
Severity: grave
Tags: security
Justification: user security hole

Hi Wouter,

CVE-2009-0049:

Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the
return value from the OpenSSL EVP_VerifyFinal function, which allows remote
attackers to bypass validation of the certificate chain via a malformed SSL/TLS
signature, a similar vulnerability to CVE-2008-5077.

http://www.ocert.org/advisories/ocert-2008-016.html

Cheers,
        Moritz

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#511261; Package belpic. (Fri, 09 Jan 2009 02:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wouter Verhelst <wouter@debian.org>:
Extra info received and forwarded to list. (Fri, 09 Jan 2009 02:57:13 GMT) Full text and rfc822 format available.

Message #10 received at 511261@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 511261@bugs.debian.org
Subject: Re: Bug#511261: CVE-2008-0049: Inproper certificate validation
Date: Fri, 9 Jan 2009 03:54:45 +0100
Hi Moritz, hi security team,

On Thu, Jan 08, 2009 at 10:30:14PM +0100, Moritz Muehlenhoff wrote:
> CVE-2009-0049:

Yay. And 3.5.0 isn't even in source form anymore; I'm not even sure
whether they actually are going to publish source for that. *sigh*.

> Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the
> return value from the OpenSSL EVP_VerifyFinal function, which allows remote
> attackers to bypass validation of the certificate chain via a malformed
> SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

Since there appears to be no patch, AFAICS:

wouter@country:~/debian/eID/belpic-2.6.0$ grep -r 'EVP_VerifyFinal' *
src/newpkcs11/src/pkcs11/openssl.c: *   finishing with EVP_VerifyFinal().
src/newpkcs11/src/pkcs11/openssl.c:		res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
src/newpkcs11/src/pkcs11/openssl.c:			sc_debug(context, "EVP_VerifyFinal() returned %d\n", res);
src/newpkcs11/src/tools/pkcs11-tool.c:	err = EVP_VerifyFinal(&md_ctx, sig1, sigLen1, pkey);
src/eidlib/Verify.cpp:    iRet = 2*iDiffRNCert + !EVP_VerifyFinal(&cmd_ctx, (unsigned char *)pucSig, ulSigLen, pKey);

The first two files are okay. In both cases, the return value is sent to
a variable that is then properly checked using an if() {} else if() {} elseĀ {}
block for the three possible return values of EVP_VerifyFinal().

The third appears to be somewhat more conspicious. Looking around in the
code a bit, this is what it's *supposed* to return:

/* Signature validation return codes */
#define BEID_SIGNATURE_NOT_VALIDATED            -2 /* The signature is not valid
ated */
#define BEID_SIGNATURE_PROCESSING_ERROR            -1 /* Error verifying the signature. */
#define BEID_SIGNATURE_VALID                                0 /* The signature is valid. */
#define BEID_SIGNATURE_INVALID                                      1 /* The signature is not valid. */
#define BEID_SIGNATURE_VALID_WRONG_RRNCERT           2 /* The signature is valid and wrong RRN certificate. */
#define BEID_SIGNATURE_INVALID_WRONG_RRNCERT        3 /* The signature is not valid and wrong RRN certificate. */

(that's from eiddefines.h)

So the patch should be something like:

--- Verify.cpp.orig	2009-01-09 03:48:56.000000000 +0100
+++ Verify.cpp	2009-01-09 03:42:44.000000000 +0100
@@ -1013,6 +1013,7 @@
     unsigned char *pucRNCert = NULL;
     unsigned long ulRNCertLen = 0;
     BEID_Certif_Check tCertifs = {0};
+    int evp_ret;
 
     if(m_pCertifManager == NULL)
     {
@@ -1084,7 +1085,11 @@
 
     EVP_VerifyInit(&cmd_ctx, EVP_sha1());
     EVP_VerifyUpdate(&cmd_ctx, pucData, ulDataLen);
-    iRet = 2*iDiffRNCert + !EVP_VerifyFinal(&cmd_ctx, (unsigned char *)pucSig, ulSigLen, pKey);
+    evp_ret = EVP_VerifyFinal(&cmd_ctx, (unsigned char *)pucSig, ulSigLen, pKey);
+    if(evp_ret >= 0) {
+    	evp_ret = 1 - evp_ret;
+    }
+    iRet = 2*iDiffRNCert + evp_ret;
     EVP_PKEY_free(pKey);
     X509_free(pX509);
     return iRet;

Given that this is me guessing what the issue really is based on a
description and some documentation that I'm not 100% sure I correctly
parsed, I'd appreciate it if someone could verify and peer-review this
before I upload it to unstable.

Thanks,

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22




Information forwarded to debian-bugs-dist@lists.debian.org, Wouter Verhelst <wouter@debian.org>:
Bug#511261; Package belpic. (Sun, 11 Jan 2009 15:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to George Danchev <danchev@spnet.net>:
Extra info received and forwarded to list. Copy sent to Wouter Verhelst <wouter@debian.org>. (Sun, 11 Jan 2009 15:24:05 GMT) Full text and rfc822 format available.

Message #15 received at 511261@bugs.debian.org (full text, mbox):

From: George Danchev <danchev@spnet.net>
To: 511261@bugs.debian.org
Subject: Re: CVE-2008-0049: Inproper certificate validation
Date: Sun, 11 Jan 2009 17:18:35 +0200
[Message part 1 (text/plain, inline)]
Hello Wouter,

I'm not quite familiar with your app internals, but it seems your fix makes no 
big difference between 0 and 1 return codes. You really want to use 
EVP_VerifyFinal as openssl guys did it [1], and provide the above functioning 
level with the all possible returns. Their doc suggests the same:

EVP_VerifyFinal() returns:
1 for a correct signature
0 for verfication failure 
-1 if some other error occurred.

This is a short code snippet from openssl: apps/dgst.c around line ~458.

i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
if(i > 0)
	BIO_printf(out, "Verified OK\n");
else if(i == 0)
	{
	BIO_printf(out, "Verification Failure\n");
	return 1;
	}
else
	{
	BIO_printf(bio_err, "Error Verifying Data\n");
	ERR_print_errors(bio_err);
	return 1;
	}

-- 
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#511261; Package belpic. (Mon, 12 Jan 2009 10:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wouter Verhelst <wouter@debian.org>:
Extra info received and forwarded to list. (Mon, 12 Jan 2009 10:12:07 GMT) Full text and rfc822 format available.

Message #20 received at 511261@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: George Danchev <danchev@spnet.net>, 511261@bugs.debian.org
Subject: Re: Bug#511261: CVE-2008-0049: Inproper certificate validation
Date: Mon, 12 Jan 2009 11:10:08 +0100
On Sun, Jan 11, 2009 at 05:18:35PM +0200, George Danchev wrote:
> Hello Wouter,
> 
> I'm not quite familiar with your app internals, but it seems your fix makes no 
> big difference between 0 and 1 return codes. You really want to use 
> EVP_VerifyFinal as openssl guys did it [1], and provide the above functioning 
> level with the all possible returns. Their doc suggests the same:
> 
> EVP_VerifyFinal() returns:
> 1 for a correct signature
> 0 for verfication failure 
> -1 if some other error occurred.
> 
> This is a short code snippet from openssl: apps/dgst.c around line ~458.
> 
> i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
> if(i > 0)
> 	BIO_printf(out, "Verified OK\n");
> else if(i == 0)
> 	{
> 	BIO_printf(out, "Verification Failure\n");
> 	return 1;
> 	}
> else
> 	{
> 	BIO_printf(bio_err, "Error Verifying Data\n");
> 	ERR_print_errors(bio_err);
> 	return 1;
> 	}

Yes, I know; the code base has two more calls, where the return value is
evaluated in the above sense.

However, the point is that this particular piece of code is a library
call. It wants to return a value that includes all information on the
EVP_VerifyFinal call. Previously, the '!EVP_VerifyFinal' piece
introduced a loss of information; however, the patch I proposed should
remedy that.

I just asked upstream to look at it; I was also recently informed that
the 3.5 code should (eventually) be available in source form, once
government bureaucracy has decided on a license.

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22




Reply sent to Wouter Verhelst <wouter@debian.org>:
You have taken responsibility. (Sat, 17 Jan 2009 16:51:04 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 17 Jan 2009 16:51:04 GMT) Full text and rfc822 format available.

Message #25 received at 511261-done@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: 511261-done@bugs.debian.org
Subject: Forgot the Closes: stanza
Date: Sat, 17 Jan 2009 17:46:58 +0100
Version: 2.6.0-6

I forgot to add a 'Closes: #511261' to the -6 upload, but it does fix
this bug. Oops.

Here's the .changes file:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Aug 2008 17:02:33 -0300
Source: belpic
Binary: libbeidlibopensc2 libbeidlibopensc2-dev libbeidlibopensc2-dbg beid-tools libbeid2 libbeid2-dev libbeid2-dbg beidgui
Architecture: source powerpc
Version: 2.6.0-6
Distribution: unstable
Urgency: high
Maintainer: Wouter Verhelst <wouter@debian.org>
Changed-By: Wouter Verhelst <wouter@debian.org>
Description: 
 beid-tools - SmartCard utilities from the OpenSC project, compiled against lib
 beidgui    - application to read out information from the Belgian electronic I
 libbeid2   - library to read identity information from the Belgian electronic 
 libbeid2-dbg - library to read identity information from the Belgian eID card (d
 libbeid2-dev - development library to read identity information from the Belgian
 libbeidlibopensc2 - belgian eID PKCS11 library
 libbeidlibopensc2-dbg - belgian eID PKCS11 library, debugging symbols
 libbeidlibopensc2-dev - belgian eID PKCS11 library, development files
Changes: 
 belpic (2.6.0-6) unstable; urgency=high
 .
   * Remove libopenct1-dev builddep, and single leftover linkage to
     libopenct. This code was not actually active anymore since 2.6.0-4,
     but there were some leftovers.
   * Copy reader-pcsc.c over from a more recent version of opensc;
     interfaces have changed since this code was written, and otherwise
     it wouldn't compile anymore.
   * Include fix for CVE-2009-0049: EVP_VerifyFinal() return value is
     not correctly checked. Checked with upstream. Since this is a rather
     important security issue, urgency=high.
Checksums-Sha1: 
 afe141e1d2611a8353932f07882d4772ce72f0f0 1164 belpic_2.6.0-6.dsc
 5218f233e98238ca377867206f97b6face016f16 24885 belpic_2.6.0-6.diff.gz
 ac1a0546a2b1e972dea8240db546d6584ed52d3c 353940 libbeidlibopensc2_2.6.0-6_powerpc.deb
 bbe93b4c3a033d44a708c8831f23ebccc45036c2 1016088 libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
 435a43cd6bc28ebb817676e11fa55a6b1fb31edc 864760 libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
 c020cecefa4ca70d71948fe49c9a4dea9deeb1ac 164048 beid-tools_2.6.0-6_powerpc.deb
 f55d5be43ec44dc5f44df0358fcc9d1a1c93a415 164666 libbeid2_2.6.0-6_powerpc.deb
 667e5ca2e47c50f4d31b3de56481689ae56cc24d 89698 libbeid2-dev_2.6.0-6_powerpc.deb
 c02b33a32f43be37e005c27e64b3e44f01ecaf4f 501202 libbeid2-dbg_2.6.0-6_powerpc.deb
 40a43043e51e0d86303aea62be7332b9dd8aa53d 320322 beidgui_2.6.0-6_powerpc.deb
Checksums-Sha256: 
 e33e8c726421087c26c24ec3ddf823d27fdc4d09645a59f8ee15df754874957e 1164 belpic_2.6.0-6.dsc
 707d4f67155c791efb68750c2fb3317cef170893e72a78e83ed9c19b2fd44803 24885 belpic_2.6.0-6.diff.gz
 754a2e79781470498f6089303eb5193872192a39cbf3f9a5b00aa5c295571175 353940 libbeidlibopensc2_2.6.0-6_powerpc.deb
 91589aad829e436d9f23820e63a91a9507a78ea9a1d18aefa1a9228b2ad95757 1016088 libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
 d7bf57e2d4feb1af6332a024b570d61db4b55962c948d25563224dc3944afc6a 864760 libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
 5d15c071cb2a3f158471f4006293ef36c9d64ef13f45f63d68d2365f3830789f 164048 beid-tools_2.6.0-6_powerpc.deb
 48dea045fcc94203b708313d7c82d45b59475e240c19da83717af6c7d1427dea 164666 libbeid2_2.6.0-6_powerpc.deb
 b442579085b0c44d9cf3aa468111e6ffce8f48f87ae34dd8df88b9ee5625e1fe 89698 libbeid2-dev_2.6.0-6_powerpc.deb
 e8be692bd78fc76d5d1eacaf42d9ccbd38d2594209ad67e790d30b9bd6b3a74e 501202 libbeid2-dbg_2.6.0-6_powerpc.deb
 0498ad9027e4a46800e1173a753ca60113458b6cd9fb3a439b5e1b3bdf32854f 320322 beidgui_2.6.0-6_powerpc.deb
Files: 
 3c6c750a87e6d56ada5c86e23e691f0e 1164 - extra belpic_2.6.0-6.dsc
 0122c1b95c6defcd5cce00d2f9135756 24885 - extra belpic_2.6.0-6.diff.gz
 ddb4b70a73c0979ec07e3a0badc7df20 353940 libs extra libbeidlibopensc2_2.6.0-6_powerpc.deb
 9aed08318bace9f2bbb9eff6e7e6797b 1016088 libdevel extra libbeidlibopensc2-dev_2.6.0-6_powerpc.deb
 629942ddefb838b7fefbad347a0cd0d0 864760 libdevel extra libbeidlibopensc2-dbg_2.6.0-6_powerpc.deb
 c34f09ae8eb7b4fe522adfd5e1b8a195 164048 utils extra beid-tools_2.6.0-6_powerpc.deb
 e98f75101810fbbb811fc7ecc20eaf29 164666 libs extra libbeid2_2.6.0-6_powerpc.deb
 3655332b5c418fb9c167c3e5582e30c7 89698 libdevel extra libbeid2-dev_2.6.0-6_powerpc.deb
 e7bd1986f9adc19d52505709af9e6977 501202 libdevel extra libbeid2-dbg_2.6.0-6_powerpc.deb
 65e90d2a6508b620a6143ca3a1903a22 320322 utils extra beidgui_2.6.0-6_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklspJEACgkQPfwsYq950p6WwwCeL3elnAS4Ssd/KG0ZuEuVeZ0Z
bgMAnR21R8TU7k946S2vkLUkEKKcmxJv
=8yWO
-----END PGP SIGNATURE-----

Regards,

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22




Bug marked as found in version 2.5.9-7. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Sat, 17 Jan 2009 17:48:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:33:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:13:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.