Debian Bug report logs - #631422
does not use SSL on identi.ca / ignores SSL certificates on Twitter

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Evgeni Golov <evgeni@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: does not use SSL on identi.ca / ignores SSL certificates on Twitter

Date: Thu, 23 Jun 2011 19:55:37 +0200

Package: turpial
Version: 1.5.0-1
Severity: grave
Tags: security

Hi,

Inspired by the same bug in gwibber (https://bugs.launchpad.net/gwibber/+bug/705363),
heybuddy (https://bugs.launchpad.net/heybuddy/+bug/798300) and pino
(http://code.google.com/p/pino-twitter/issues/detail?id=339) I checked turpial
and it failed the same way :(

For identi.ca HTTPS is not even used (username/password are sent as plaintext
to the server). Editing api/protocols/identica/identica.py to use
https://identi.ca/api as API endpoint does not help much, SSL is used but
certificates aren't checked, making man in the middle attacks possible.

For Twitter HTTPS is used, but the same no-cert-verify flaw applies here.

regards
Evgeni Golov

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-rc3+ (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages turpial depends on:
ii  gstreamer0.10-plugins-base  0.10.34-1    GStreamer plugins from the "base" 
ii  python                      2.6.6-14     interactive high-level object-orie
ii  python-gst0.10              0.10.21-2+b1 generic media-playing framework (P
ii  python-gtk2                 2.24.0-2     Python bindings for the GTK+ widge
ii  python-gtkspell             2.25.3-10    Python bindings for the GtkSpell l
ii  python-notify               0.1.1-2+b3   Python bindings for libnotify
ii  python-oauth                1.0.1-3      Python library implementing of the
ii  python-pkg-resources        0.6.16-1     Package Discovery and Resource Acc
ii  python-simplejson           2.1.6-1      simple, fast, extensible JSON enco
ii  python-webkit               1.1.8-2      WebKit/Gtk Python bindings
ii  python2.6                   2.6.7-1      An interactive high-level object-o
ii  python2.7                   2.7.2-1      An interactive high-level object-o

turpial recommends no packages.

turpial suggests no packages.

-- no debconf information

Message #12 received at 631422@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Miguel Landaeta <miguel@miguel.cc>

Cc: 631422@bugs.debian.org

Subject: Re: your mail

Date: Wed, 28 Dec 2011 15:17:43 +0100

On Mon, Oct  3, 2011 at 21:11:21 -0430, Miguel Landaeta wrote:

> forwarded 631422 http://dev.turpial.org.ve/issues/375

This is 404...

Cheers,
Julien

Message #17 received at 631422@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: Wil Alvarez <wil.alejandro@gmail.com>

Cc: 631422@bugs.debian.org

Subject: Re: Bug#631422: your mail

Date: Wed, 28 Dec 2011 20:09:21 -0430

On Wed, Dec 28, 2011 at 9:47 AM, Julien Cristau <jcristau@debian.org> wrote:
> On Mon, Oct  3, 2011 at 21:11:21 -0430, Miguel Landaeta wrote:
>
>> forwarded 631422 http://dev.turpial.org.ve/issues/375
>
> This is 404...

Hi Wil,

Is there a way to track the progress of this issue at upstream?
The issue just disappeared from the tracker several weeks ago.

If it is not correct to send this directly to you, just redirect me to
the correct mailing list or whatever.

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

Message #22 received at 631422@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: 631422@bugs.debian.org

Subject: Fwd: SSL verification bug

Date: Fri, 30 Dec 2011 19:14:38 -0430

tags 631422 + pending upstream
forwarded 631422 http://dev.turpial.org.ve/issues/459
thanks


---------- Forwarded message ----------
From: Wil Alvarez <wil.alejandro@gmail.com>
Date: Thu, Dec 29, 2011 at 9:05 PM
Subject: SSL verification bug
To: turpial-dev@googlegroups.com
Cc: Miguel Landaeta <miguel@miguel.cc>


Good nights,

Today our friend Miguel Landaeta sent me an email about the SSL
verification bug in Turpial, basically because it dissapeared from our
BTS [1] and because Turpial package was being removed from Debian
testing because this bug hadn't been closed/fixed yet. So I droped
everything I was doing and started to fix it.

The first explanation is about the ticket. Carlos Guerrero and I did a
bug triage a couple of weeks ago and we moved it to libturpial project
in order to fix it ASAP (because I stopped working with Turpial 1.x
and started with Turpial 2.x) but for some unknown reason Redmine
changed its id and the bug became unreachable. Now you can track it
from [2].

The second explanation is about the bug. Carlos and I were checking
some examples and implementions [3][4] and finally we came with a
solution implemented first in libturpial and then in Turpial (stable).
I've released a maintenance version of Turpial with this fix (1.6.7)
available in our files repo [5] or from source code in github repo
[6].

Please update your current version (updating the git master branch or
installing a fresh version from sources) and test it to verify that
everything is ok. Any issue can be reported in the BTS [2].

Regards


[1] http://dev.turpial.org.ve/issues/375
[2] http://dev.turpial.org.ve/issues/459
[3] http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700
[4] http://wiki.python.org/moin/SSL
[5] http://turpial.org.ve/files/sources/stable/
[6] http://github.com/satanas/Turpial/tree/master

--
“Yo construyo Soberanía, uso Software Libre”
Wil A. Alvarez
Linux Counter #415026
Debian Counter #259
http://turpial.org.ve
http://damncorner.blogspot.com/



-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

Message #31 received at 631422-close@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: 631422-close@bugs.debian.org

Subject: Bug#631422: fixed in turpial 1.6.7-1+ds1-1

Date: Fri, 06 Jan 2012 00:21:20 +0000

Source: turpial
Source-Version: 1.6.7-1+ds1-1

We believe that the bug you reported is fixed in the latest version of
turpial, which is due to be installed in the Debian FTP archive:

turpial_1.6.7-1+ds1-1.debian.tar.gz
  to main/t/turpial/turpial_1.6.7-1+ds1-1.debian.tar.gz
turpial_1.6.7-1+ds1-1.dsc
  to main/t/turpial/turpial_1.6.7-1+ds1-1.dsc
turpial_1.6.7-1+ds1-1_all.deb
  to main/t/turpial/turpial_1.6.7-1+ds1-1_all.deb
turpial_1.6.7-1+ds1.orig.tar.gz
  to main/t/turpial/turpial_1.6.7-1+ds1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated turpial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Jan 2012 18:37:32 -0430
Source: turpial
Binary: turpial
Architecture: source all
Version: 1.6.7-1+ds1-1
Distribution: unstable
Urgency: high
Maintainer: Miguel Landaeta <miguel@miguel.cc>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 turpial    - Light, fast, and fully functional Twitter client written in Pytho
Closes: 631422
Changes: 
 turpial (1.6.7-1+ds1-1) unstable; urgency=high
 .
   * New upstream release. (Closes: #631422).
   * Include patch to set path of SSL CA certificates.
   * Update watch file.
Checksums-Sha1: 
 9031327370be4618699d354e484670dbc7f007d4 2065 turpial_1.6.7-1+ds1-1.dsc
 a78b73d14ad845fb895b2fbed7f554dd9aad89a3 692469 turpial_1.6.7-1+ds1.orig.tar.gz
 ea829eaa337395f1baf43a34c5f1a670f0232a45 4814 turpial_1.6.7-1+ds1-1.debian.tar.gz
 1d6c47ad4d36733b069c1f325b4d4ffc094cfd51 681824 turpial_1.6.7-1+ds1-1_all.deb
Checksums-Sha256: 
 0b72e13dcbbe7c06edbcd1823b98071ddba3f34751d8f9458bd9de04ffface63 2065 turpial_1.6.7-1+ds1-1.dsc
 2aa860e5175cae0a0cc23901074aca36d55ea64f56359fdc7e727869928323a7 692469 turpial_1.6.7-1+ds1.orig.tar.gz
 62b0ccc9f37f720d0b1764b0663fb634a851384745b3c4851395e82f33644f63 4814 turpial_1.6.7-1+ds1-1.debian.tar.gz
 baa679f7cc61c926854be963c0b89b2015b472edb32e2c152e2f520fcddf1194 681824 turpial_1.6.7-1+ds1-1_all.deb
Files: 
 9dcffe21100eb6e81719abd7cf15402a 2065 python optional turpial_1.6.7-1+ds1-1.dsc
 292f16253b884cfba25b625d68886189 692469 python optional turpial_1.6.7-1+ds1.orig.tar.gz
 0034ff4960ee734cc22855ee63c7360d 4814 python optional turpial_1.6.7-1+ds1-1.debian.tar.gz
 e5682518b60b8c429ad2ba1dfd1fd375 681824 python optional turpial_1.6.7-1+ds1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPBjxOAAoJELFtKbCWPtJk+DoP/1k8qc5S9oZatdCOh2o81luR
bS8D/ZWc+tAe59RRETao3i87q3E4GIGhSO4LCa0BQ+hI/nxieb5kBNXb/uYuOWvv
g+/Qt6CFEgowLByNhOWhZqWJjgETwsFmdR84hgQ/kFWvKH9R33DV9755/nyfGMCG
4hOffYfP+cumVirg1mSSqxfVcF/p6ok0rXKCMCZUTMb13sLsYFL94mbtfiBajdjq
HP0/lK/tzJGUuKWQsXlSaH3DKkV+OUdocuLfbvjceCNEUeRKWauWeGEvDvytbxMT
WdASf0BT+04yOPGq8LrqqXZgE3LeXNYgjQDzld4tMZs9+UEw/CFmSb/H99/523FC
kkbb6TpD190yE22frRivmuDAJUZpKLD+iFMPqpqaDOiquK6KQtNugn379RJm1ph8
k7pGS4lEIg+bQ2KBt+pBEgI0a1lpnFvGdZ82bMS28pLJlZbq/1xvd7VRO/Bps+Fs
wzFQ+W6MeagVbSG5nDzOMnFkLpkPepltKOzeg5P052n9rzx5HeSXms3GwSMP4Gfc
ij8Jw5eiLwZHSdOZMsVwYlkNyrwROomJXjvjby6B//0GAT+SSEDXWin/g/qFAPBu
vPp5HYPPnwPwMv1rIaS0oI0tEJmPfyBn045jRtQ5B35nbEcuBIrZuA7jrnob9Uuk
yozFBIcPzA8mSamyyqiE
=qTbE
-----END PGP SIGNATURE-----

Message #36 received at 631422@bugs.debian.org (full text, mbox, reply):

From: nullrend <nullrend@nullrend.com>

To: 631422@bugs.debian.org

Subject: turpial backport

Date: Tue, 10 Jan 2012 23:59:27 -0600

[Message part 1 (text/plain, inline)]

Hi, I'd be interested in obtaining a .deb of the backported application as
well.

[Message part 2 (text/html, inline)]

Message #41 received at 631422@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: 650243@bugs.debian.org, nullrend <nullrend@nullrend.com>

Cc: 631422@bugs.debian.org

Subject: Re: turpial backport

Date: Wed, 11 Jan 2012 23:16:42 -0430

[Message part 1 (text/plain, inline)]

On Tue, Jan 10, 2012 at 11:59:27PM -0600, nullrend wrote:
> Hi, I'd be interested in obtaining a .deb of the backported application as
> well.

Hi,

The correct bug report for backported turpial is #650243.

I'll prepare a backport when the fix for #631422 reaches testing
(in 4 days or so).

After that, I'll look for a sponsor willing to do an upload of that
backport to squeeze-backports.

Regards,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.