Debian Bug report logs -
#608724
gwibber bypasses certificate checking when providing the login/password for OAuth
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Mon, 03 Jan 2011 00:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>.
(Mon, 03 Jan 2011 00:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gwibber
Version: 2.91.2-1
Severity: grave
Tags: security
Justification: user security hole
Gwibber bypasses certificate checking when the login/password is
provided, at least to identi.ca.
Here's what I did:
1. Since I revoked Gwibber access for identi.ca a few days ago (by
mistake: it was listed as an unknown application), I had to
re-authorize it. For that, I had to provide my login/password.
2. Gwibber still didn't work with identi.ca: Refresh did nothing.
3. With Firefox, I checked on the "Connected applications"
page that a new application was approved (still listed as
"Unknown application" BTW, but it could only be Gwibber).
This means that my login and password were really sent to
identi.ca.
4. I quit Gwibber.
5. I installed the COMODOHigh-AssuranceSecureServerCA.crt certificate
as described on:
http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg2685302.html
6. I restarted Gwibber and did a refresh. It worked!
So, since the needed certificate wasn't installed for Gwibber
(because Refresh didn't work before and worked after its manual
installation) but the login and password had been accepted by
identi.ca before I installed the certificate, this means that
Gwibber didn't do the usual CA certificate checking for the OAuth
part, which is quite critical as this is where the login and
password were sent.
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gwibber depends on:
ii gnome-keyring 2.30.3-4 GNOME keyring services (daemon and
ii gwibber-service 2.91.2-1 Open source social networking clie
ii libjs-jquery 1.4.2-2 JavaScript library for dynamic web
ii librsvg2-2 2.26.3-1 SAX-based renderer library for SVG
ii librsvg2-common 2.26.3-1 SAX-based renderer library for SVG
ii python 2.6.6-3+squeeze4 interactive high-level object-orie
ii python-dbus 0.83.1-1 simple interprocess messaging syst
ii python-egenix-mxdatetim 3.1.3-4 date and time handling routines fo
ii python-gconf 2.28.1-1 Python bindings for the GConf conf
ii python-gtk2 2.17.0-4 Python bindings for the GTK+ widge
ii python-gtkspell 2.25.3-6 Python bindings for the GtkSpell l
ii python-imaging 1.1.7-2 Python Imaging Library
ii python-mako 0.3.6-1 fast and lightweight templating fo
ii python-oauth 1.0.1-2 Python library implementing of the
ii python-simplejson 2.1.2-1 simple, fast, extensible JSON enco
ii python-support 1.0.11 automated rebuilding support for P
ii python-webkit 1.1.8-1 WebKit/Gtk Python bindings
ii python-wnck 2.30.0-4 Python bindings for the WNCK libra
ii python-xdg 0.19-2 Python library to access freedeskt
gwibber recommends no packages.
Versions of packages gwibber suggests:
pn gwibber-themes <none> (no description available)
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Fri, 03 Jun 2011 06:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to kartik@debian.org:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Fri, 03 Jun 2011 06:03:08 GMT) (full text, mbox, link).
Message #12 received at 608724@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 3, 2011 at 5:39 AM, Vincent Lefevre <vincent@vinc17.net> wrote:
> Gwibber bypasses certificate checking when the login/password is
> provided, at least to identi.ca.
This looks fixed in identi.ca server side. Can you confirm this?
--
Kartik Mistry
Debian GNU/Linux Developer
IRC: kart_ | Identica: @kartikm
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sat, 04 Jun 2011 11:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sat, 04 Jun 2011 11:27:07 GMT) (full text, mbox, link).
Message #17 received at 608724@bugs.debian.org (full text, mbox, reply):
On 2011-06-03 11:32:15 +0530, Kartik Mistry wrote:
> On Mon, Jan 3, 2011 at 5:39 AM, Vincent Lefevre <vincent@vinc17.net> wrote:
> > Gwibber bypasses certificate checking when the login/password is
> > provided, at least to identi.ca.
>
> This looks fixed in identi.ca server side. Can you confirm this?
This is a purely client-side bug.
The bug is not normally visible now that the server side has been
fixed. But the security problem probably still exists. Anyway, how
the CA certificate is supposed to be accessed?
(I don't have the time right now, but I suppose I could see this
with a strace.)
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sat, 04 Jun 2011 22:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sat, 04 Jun 2011 22:39:03 GMT) (full text, mbox, link).
Message #22 received at 608724@bugs.debian.org (full text, mbox, reply):
On 2011-06-04 13:24:36 +0200, Vincent Lefevre wrote:
> The bug is not normally visible now that the server side has been
> fixed. But the security problem probably still exists. Anyway, how
> the CA certificate is supposed to be accessed?
I confirm the security bug: the certificate is *not* checked.
Here's what I did:
1. Install a web server with SSL support on my local machine,
according to /usr/share/doc/apache2.2-common/README.Debian.gz
# a2ensite default-ssl
# a2enmod ssl
# /etc/init.d/apache2 restart
(I did nothing special concerning the certificates).
2. Configure the DNS system so that identi.ca corresponds to the
local machine (where I installed the server), by adding
127.0.2.1 identi.ca
to the /etc/hosts file.
Now, if I try to open https://identi.ca/ with Iceweasel, I get an
error because the certificate isn't valid, and
/var/log/apache2/ssl_access.log
doesn't show any access to the local server. This is fine! Iceweasel
protects the user against attacks like DNS spoofing.
Then, let's try with Gwibber: I've added an Identi.ca account and
clicked on Authorize. Nothing happened on the Gwibber side, but
/var/log/apache2/ssl_access.log shows a line:
127.0.0.1 - - [05/Jun/2011:00:23:57 +0200] "POST /api/oauth/request_token HTTP/1.1" 404 1623 "-" "Python-urllib/2.6"
This is wrong!
Here this isn't much a problem because my server doesn't do anything
useful, but Gwibber is potentially vulnerable to man-in-the-middle
attacks.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sat, 04 Jun 2011 22:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sat, 04 Jun 2011 22:45:03 GMT) (full text, mbox, link).
Message #27 received at 608724@bugs.debian.org (full text, mbox, reply):
found 608724 3.0.0.1-2
thanks
On 2011-06-05 00:37:52 +0200, Vincent Lefevre wrote:
> I confirm the security bug: the certificate is *not* checked.
> Here's what I did:
[...]
This test was done with gwibber / gwibber-service-identica 3.0.0.1-2.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
Bug Marked as found in versions gwibber/3.0.0.1-2.
Request was from Vincent Lefevre <vincent@vinc17.net>
to control@bugs.debian.org.
(Sat, 04 Jun 2011 22:45:06 GMT) (full text, mbox, link).
Bug Marked as found in versions gwibber/1.2.0+bzr358-3.
Request was from Evgeni Golov <evgeni@debian.org>
to control@bugs.debian.org.
(Sun, 12 Jun 2011 13:21:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sun, 12 Jun 2011 13:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Evgeni Golov <evgeni@debian.org>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sun, 12 Jun 2011 13:24:07 GMT) (full text, mbox, link).
Message #36 received at 608724@bugs.debian.org (full text, mbox, reply):
Hi,
this bug can also be found in 1.2.0+bzr358-3:
gwibber/microblog/identica.py:
def connect(self, url, data = None):
return urllib2.urlopen(urllib2.Request(
url, data, {"Authorization": self.get_auth()})).read()
Also, this is not limited to identi.ca, but all
statusnet/laconica/whatever sites and possibly also other interfaces.
[grep for urllib(2)?\.urlopen to find possible cases]
A possible sollution would be:
http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700
--
Bruce Schneier can read and understand Perl programs.
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sun, 01 Jan 2012 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sun, 01 Jan 2012 19:51:04 GMT) (full text, mbox, link).
Message #41 received at 608724@bugs.debian.org (full text, mbox, reply):
On Sun, Jun 12, 2011 at 15:22:24 +0200, Evgeni Golov wrote:
> Hi,
>
> this bug can also be found in 1.2.0+bzr358-3:
>
> gwibber/microblog/identica.py:
> def connect(self, url, data = None):
> return urllib2.urlopen(urllib2.Request(
> url, data, {"Authorization": self.get_auth()})).read()
>
> Also, this is not limited to identi.ca, but all
> statusnet/laconica/whatever sites and possibly also other interfaces.
> [grep for urllib(2)?\.urlopen to find possible cases]
>
> A possible sollution would be:
> http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700
>
Is there any progress with this?
Cheers,
Julien
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#608724; Package gwibber.
(Sun, 27 May 2012 22:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>.
(Sun, 27 May 2012 22:42:04 GMT) (full text, mbox, link).
Message #48 received at 608724@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Julien Cristau <jcristau@debian.org> (01/01/2012):
> On Sun, Jun 12, 2011 at 15:22:24 +0200, Evgeni Golov wrote:
> > A possible sollution would be:
> > http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700
> >
> Is there any progress with this?
Ping?
Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 18 Oct 2012 16:36:04 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sun, 13 Sep 2015 18:54:46 GMT) (full text, mbox, link).
Notification sent
to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer.
(Sun, 13 Sep 2015 18:54:46 GMT) (full text, mbox, link).
Message #55 received at 608724-done@bugs.debian.org (full text, mbox, reply):
Version: 3.0.0.1-2.2+rm
Dear submitter,
as the package gwibber has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/798853
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 12 Oct 2015 07:30:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 30 08:01:25 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.