Debian Bug report logs - #696681
falconpl: CVE-2012-6070: possible security issue due to misuse of the libcurl API

version graph

Package: falconpl; Maintainer for falconpl is Kartik Mistry <kartik@debian.org>; Source for falconpl is src:falconpl.

Reported by: Alessandro Ghedini <ghedo@debian.org>

Date: Tue, 25 Dec 2012 17:45:02 UTC

Severity: serious

Tags: security

Fixed in version falconpl/0.9.6.9-git20120606-2

Done: Kartik Mistry <kartik@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#696681; Package falconpl. (Tue, 25 Dec 2012 17:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <ghedo@debian.org>:
New Bug report received and forwarded. Copy sent to Kartik Mistry <kartik@debian.org>. (Tue, 25 Dec 2012 17:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <ghedo@debian.org>
To: submit@bugs.debian.org
Subject: falconpl: possible security issue due to misuse of the libcurl API
Date: Tue, 25 Dec 2012 18:41:13 +0100
[Message part 1 (text/plain, inline)]
Package: falconpl
Severity: serious
Tags: security

Hi,

I recently discovered that falconpl is using the libcurl API in a way that may
not be what the original author intended. In particular I'm referring to the
fact that the CURLOPT_SSL_VERIFYHOST option is treated as it was a boolean value
while in fact it isn't (it may take three different values):

  case CURLOPT_SSL_VERIFYHOST:
  case CURLOPT_SSL_SESSIONID_CACHE:
   {
     long bVal = i_data->isTrue() ? 1 : 0;
     ret = curl_easy_setopt( curl, iOpt, bVal );
   }
   break;

(from the file modules/native/curl/src/curl_ext.cpp)

Setting the value to "0" disables the host checks, but setting it to "1" does
not enable them (well, not all of them) and this may lead to security issues.
The correct value to enable all the security checks is "2".

From the libcurl documentation:

> When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the
> server is the server to which you meant to connect, or the connection fails.
> 
> Curl considers the server the intended one when the Common Name field or a
> Subject Alternate Name field in the certificate matches the host name in the
> URL to which you told Curl to connect.
> 
> When the value is 1, the certificate must contain a Common Name field, but it
> doesn't matter what name it says. (This is not ordinarily a useful setting).
> 
> When the value is 0, the connection succeeds regardless of the names in the
> certificate.

After discussing this with the security team, it was decided that it would be
best if this was fixed before the Wheezy release.

Note that this should be fixed anyway, since as of curl v7.28.1 (which has been
uploaded to experimental) the value "1" is not a valid value anymore and libcurl
will return an error.

A possible fix should be discussed with the falconpl upstream first.

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#696681; Package falconpl. (Wed, 26 Dec 2012 05:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kartik Mistry <kartik.mistry@gmail.com>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 26 Dec 2012 05:51:03 GMT) Full text and rfc822 format available.

Message #10 received at 696681@bugs.debian.org (full text, mbox):

From: Kartik Mistry <kartik.mistry@gmail.com>
To: Alessandro Ghedini <ghedo@debian.org>, 696681@bugs.debian.org
Cc: Vasudev Kamath <kamathvasudev@gmail.com>
Subject: Re: Bug#696681: falconpl: possible security issue due to misuse of the libcurl API
Date: Wed, 26 Dec 2012 11:16:59 +0530
On Tue, Dec 25, 2012 at 11:11 PM, Alessandro Ghedini <ghedo@debian.org> wrote:
> After discussing this with the security team, it was decided that it would be
> best if this was fixed before the Wheezy release.
>
> Note that this should be fixed anyway, since as of curl v7.28.1 (which has been
> uploaded to experimental) the value "1" is not a valid value anymore and libcurl
> will return an error.

Sorry! I went to unexpected vacation in the middle of this.

> A possible fix should be discussed with the falconpl upstream first.

This is done already:
https://groups.google.com/forum/?fromgroups=#!msg/falconpl/Vnnv0yb-_Bg/Vkl5RFHEk8QJ
(and related discussions on IRC at #falconpl, Freenode)

Should fix go via unstable->testing or testing proposed upload is need
to do in this case? I'm preparing packages right now.

-- 
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com



Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#696681; Package falconpl. (Wed, 26 Dec 2012 06:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vasudev Kamath <kamathvasudev@gmail.com>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 26 Dec 2012 06:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 696681@bugs.debian.org (full text, mbox):

From: Vasudev Kamath <kamathvasudev@gmail.com>
To: Kartik Mistry <kartik.mistry@gmail.com>
Cc: Alessandro Ghedini <ghedo@debian.org>, 696681@bugs.debian.org
Subject: Re: Bug#696681: falconpl: possible security issue due to misuse of the libcurl API
Date: Wed, 26 Dec 2012 12:03:45 +0530
On Wed, Dec 26, 2012 at 11:16 AM, Kartik Mistry <kartik.mistry@gmail.com> wrote:
> This is done already:
> https://groups.google.com/forum/?fromgroups=#!msg/falconpl/Vnnv0yb-_Bg/Vkl5RFHEk8QJ
> (and related discussions on IRC at #falconpl, Freenode)

Just a note patch is already merged into upstream [1]

[1] http://git.falconpl.org/cgit.cgi/falcon/commit/?id=93d94a88a8bb073e609327ceca704b313e1309ff

--

Vasudev Kamath
http://copyninja.info
copyninja@{frndk.de|vasudev.homelinux.net}



Reply sent to Kartik Mistry <kartik@debian.org>:
You have taken responsibility. (Wed, 26 Dec 2012 09:51:05 GMT) Full text and rfc822 format available.

Notification sent to Alessandro Ghedini <ghedo@debian.org>:
Bug acknowledged by developer. (Wed, 26 Dec 2012 09:51:05 GMT) Full text and rfc822 format available.

Message #20 received at 696681-close@bugs.debian.org (full text, mbox):

From: Kartik Mistry <kartik@debian.org>
To: 696681-close@bugs.debian.org
Subject: Bug#696681: fixed in falconpl 0.9.6.9-git20120606-2
Date: Wed, 26 Dec 2012 09:47:50 +0000
Source: falconpl
Source-Version: 0.9.6.9-git20120606-2

We believe that the bug you reported is fixed in the latest version of
falconpl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kartik@debian.org> (supplier of updated falconpl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 26 Dec 2012 11:12:33 +0530
Source: falconpl
Binary: libfalcon-engine1 libfalcon-engine1-dbg falconpl falconpl-dbg falconpl-dev falconpl-mongodb falconpl-curl falconpl-dbi falconpl-dbi-sqlite3 falconpl-dbi-mysql falconpl-dbi-postgresql falconpl-dbi-firebird falconpl-dbus falconpl-hpdf falconpl-dmtx falconpl-gd2 falconpl-gtk falconpl-sdl
Architecture: source amd64
Version: 0.9.6.9-git20120606-2
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Kartik Mistry <kartik@debian.org>
Description: 
 falconpl   - Falcon P.L. - command line tools
 falconpl-curl - Curl bindings for Falcon P.L
 falconpl-dbg - Falcon P.L. - debugging symbols
 falconpl-dbi - Database Abstraction Layer for Falcon P.L
 falconpl-dbi-firebird - Firebird SQL database abstraction layer for Falcon P.L
 falconpl-dbi-mysql - MySQL database abstraction layer for Falcon P.L
 falconpl-dbi-postgresql - PostgreSQL database abstraction layer for Falcon P.L
 falconpl-dbi-sqlite3 - SQLite3 database abstraction for Falcon P.L
 falconpl-dbus - DBus client functionality for Falcon scripts
 falconpl-dev - Falcon P.L. - development files
 falconpl-dmtx - Falcon module for reading Data Matrix barcodes
 falconpl-gd2 - Falcon graphic image manipulation module
 falconpl-gtk - Falcon GTK+ wrapper module
 falconpl-hpdf - Falcon module for generating PDF files
 falconpl-mongodb - MongoDB bindings for Falcon P.L
 falconpl-sdl - Falcon SDL wrapper module
 libfalcon-engine1 - Falcon Programming Language engine
 libfalcon-engine1-dbg - Falcon P.L. engine - debugging symbols
Closes: 696681
Changes: 
 falconpl (0.9.6.9-git20120606-2) unstable; urgency=medium
 .
   * debian/patches/02-Fixed-the-value-set-for-CURLOPT_SSL_VERIFYHOST.patch:
     + Added patch to fix possible security issue due to misuse of the libcurl
       API. Patch has been accepted upstream and discussed. (Closes: #696681)
Checksums-Sha1: 
 143339bfaf1015e13ec52e508739ab4ddc99a92d 2630 falconpl_0.9.6.9-git20120606-2.dsc
 2971da345098f0d6e8a5af054a2f526be0b753cc 11383 falconpl_0.9.6.9-git20120606-2.debian.tar.gz
 736c606e8c2a0604649e67d77820f95f90147381 1646466 libfalcon-engine1_0.9.6.9-git20120606-2_amd64.deb
 4ef677458bc9bff777661856032894d48eece302 13691030 libfalcon-engine1-dbg_0.9.6.9-git20120606-2_amd64.deb
 fe4b1d985697ab736f66d10a066f6060acc84e1b 106352 falconpl_0.9.6.9-git20120606-2_amd64.deb
 63d6aca2a3153f89834c37468e324056f8f09a36 356396 falconpl-dbg_0.9.6.9-git20120606-2_amd64.deb
 759fb27d5b038731f49e809b58ca38416a55afb5 363206 falconpl-dev_0.9.6.9-git20120606-2_amd64.deb
 9fd9d4193d4745b4dd5e64cf0a2ae73029c9af53 83836 falconpl-mongodb_0.9.6.9-git20120606-2_amd64.deb
 d83f7467b53e5af33186028dfcda67aa4dbf7ce7 66364 falconpl-curl_0.9.6.9-git20120606-2_amd64.deb
 3215d76caa3a965c92c4ab793caba7bfaf7a6ff4 62862 falconpl-dbi_0.9.6.9-git20120606-2_amd64.deb
 00633f96c2cdde3552de7edd3fbf173c504f566d 62228 falconpl-dbi-sqlite3_0.9.6.9-git20120606-2_amd64.deb
 925ad3d97b6991ebd00fa41e812c7054e7b13bf1 69166 falconpl-dbi-mysql_0.9.6.9-git20120606-2_amd64.deb
 465877fe92396270b3aae593f1e2e003775167d0 62144 falconpl-dbi-postgresql_0.9.6.9-git20120606-2_amd64.deb
 aa59d97291d9d1d60e5a0a367379a408ac38a734 68454 falconpl-dbi-firebird_0.9.6.9-git20120606-2_amd64.deb
 3bb229857fc7e7f129eb4a4d2dcf215c3aad88a8 54552 falconpl-dbus_0.9.6.9-git20120606-2_amd64.deb
 249f545f308f0fedc1f6197038b3e0934cb89b37 92246 falconpl-hpdf_0.9.6.9-git20120606-2_amd64.deb
 a6b959818dbaf496489d3c07e3cf00194bc3dc3f 45580 falconpl-dmtx_0.9.6.9-git20120606-2_amd64.deb
 4c1dd663c2824f31494f66f5cb1269efeb9d1603 78760 falconpl-gd2_0.9.6.9-git20120606-2_amd64.deb
 2655866d1f1f443e527a4d0bcb45984a6688ee87 617906 falconpl-gtk_0.9.6.9-git20120606-2_amd64.deb
 3576fb292cd4ff6acc17bf1a7c11d431baaeff2a 143272 falconpl-sdl_0.9.6.9-git20120606-2_amd64.deb
Checksums-Sha256: 
 96fdd79bd25e0fb7d7c98a318aeca02fa143b21aacafa1769288bd208e3332d4 2630 falconpl_0.9.6.9-git20120606-2.dsc
 1ddb30c03422957cb18b60fe322655d32d79fa5ff99d9a71fded07e75116c36f 11383 falconpl_0.9.6.9-git20120606-2.debian.tar.gz
 c9bd8c45fe2e8b69a87be21b4e431808c45fe42e36f23e47a9524e35b1d775d4 1646466 libfalcon-engine1_0.9.6.9-git20120606-2_amd64.deb
 ee4d68683e781498a671a70de3e4324b50bdf777769f38c898d5765fd51a2eb6 13691030 libfalcon-engine1-dbg_0.9.6.9-git20120606-2_amd64.deb
 d519098bdf5868d25d25c6d90205e97b62186ec349f2cb41e1f17da193cc594f 106352 falconpl_0.9.6.9-git20120606-2_amd64.deb
 a285b6d89bc2bed5ac2721885ddbdb25f718070cd97dbd67374f179243976114 356396 falconpl-dbg_0.9.6.9-git20120606-2_amd64.deb
 6b386d5b2e139e91c9e97bc43e18367414d353d5eed4d23770060f744d32a96e 363206 falconpl-dev_0.9.6.9-git20120606-2_amd64.deb
 b5fb24c87f00bd36821be4b57251bd6b20be887feafce9bb62767abebe7d9227 83836 falconpl-mongodb_0.9.6.9-git20120606-2_amd64.deb
 f87f473d6198bb1dce713dbb70e6cfb9827acf60575bd93836414370a93307de 66364 falconpl-curl_0.9.6.9-git20120606-2_amd64.deb
 1dd16df070bb8d6a1eeeb02c40f7cf651f6fe71abfcc0255f7cf2ae3698890fe 62862 falconpl-dbi_0.9.6.9-git20120606-2_amd64.deb
 b1551902775f1eea35b934c461f666e255bfde0a25c3a093e6f6aa351648ed39 62228 falconpl-dbi-sqlite3_0.9.6.9-git20120606-2_amd64.deb
 e5958c5f3299d331c8681208c5203daf7b5acda763cac4c0a0bd2631c7952ffb 69166 falconpl-dbi-mysql_0.9.6.9-git20120606-2_amd64.deb
 faf09d4dc0cf451ca2d7722ddaa5d645fa200f1979eaf2198ad124c7e338994a 62144 falconpl-dbi-postgresql_0.9.6.9-git20120606-2_amd64.deb
 d2d9e0e41ff54643d360e6b2b13de5c9b470a00b723ad5e2565f4542936144fd 68454 falconpl-dbi-firebird_0.9.6.9-git20120606-2_amd64.deb
 04666c634599f7d54de49b2ff3ec97185de0c3325406a58d74ba3fdd06630e87 54552 falconpl-dbus_0.9.6.9-git20120606-2_amd64.deb
 d0870859e4b065d1f95b75fdea78bb66bedf5b5e45ff432cbfa9d366464b81a9 92246 falconpl-hpdf_0.9.6.9-git20120606-2_amd64.deb
 a98f0eabe22bf39e906b573ddcec70f94e2be17daad9921a9a83af10639d578d 45580 falconpl-dmtx_0.9.6.9-git20120606-2_amd64.deb
 2221034040c5ad40976ff726807aa2076d827331c9dfac00c94f9be6bd4ca21b 78760 falconpl-gd2_0.9.6.9-git20120606-2_amd64.deb
 ff734f9c8bd1daaa0c9cd616ed7872bda1abf75665356b6ceaf26fd70d4c4b9b 617906 falconpl-gtk_0.9.6.9-git20120606-2_amd64.deb
 56ab656837d2241d6696adefefc95838aa2ccb100bb518a05e81a79ed0ada948 143272 falconpl-sdl_0.9.6.9-git20120606-2_amd64.deb
Files: 
 4413da46ccc371722b44e014339eace5 2630 interpreters optional falconpl_0.9.6.9-git20120606-2.dsc
 d237d7295a94aead30423210c01a4945 11383 interpreters optional falconpl_0.9.6.9-git20120606-2.debian.tar.gz
 1c5b8cfb6833bae444b8a8487aa5522f 1646466 libs optional libfalcon-engine1_0.9.6.9-git20120606-2_amd64.deb
 b730af52f6997d7b8e78bd8a25c6cf70 13691030 debug extra libfalcon-engine1-dbg_0.9.6.9-git20120606-2_amd64.deb
 728f9ab05d2b3254f5c4cb32b2dbec3d 106352 interpreters optional falconpl_0.9.6.9-git20120606-2_amd64.deb
 3cb95fe06a2314a2362f197b05ea14aa 356396 debug extra falconpl-dbg_0.9.6.9-git20120606-2_amd64.deb
 96e78b31546353147e3b75532c831801 363206 devel optional falconpl-dev_0.9.6.9-git20120606-2_amd64.deb
 f4b1e586af2623b7331e14477267d0be 83836 devel optional falconpl-mongodb_0.9.6.9-git20120606-2_amd64.deb
 04d0367e1703a36f5dc2e5404803487d 66364 devel optional falconpl-curl_0.9.6.9-git20120606-2_amd64.deb
 b2a3c06979878b7d87ff2bec7c7f08ae 62862 devel optional falconpl-dbi_0.9.6.9-git20120606-2_amd64.deb
 b0c1fdc6c384a35a2ac06f64aa39b901 62228 devel optional falconpl-dbi-sqlite3_0.9.6.9-git20120606-2_amd64.deb
 fe7854ea6c66d65533fad2f6e61c818f 69166 devel optional falconpl-dbi-mysql_0.9.6.9-git20120606-2_amd64.deb
 e06132236f49cc6de325fb1186398ac1 62144 devel optional falconpl-dbi-postgresql_0.9.6.9-git20120606-2_amd64.deb
 2884acd21c959d22d3fff6a11b9298fa 68454 devel optional falconpl-dbi-firebird_0.9.6.9-git20120606-2_amd64.deb
 0f61d59f0c4b091ebba79e7b1c9e67ba 54552 devel optional falconpl-dbus_0.9.6.9-git20120606-2_amd64.deb
 70eb6b5acbefaf96744431f57ef7b7fd 92246 devel optional falconpl-hpdf_0.9.6.9-git20120606-2_amd64.deb
 b9914459a47c60a53eb5370cba27246c 45580 devel optional falconpl-dmtx_0.9.6.9-git20120606-2_amd64.deb
 8f14022d104475a6146baa877c5ef303 78760 devel optional falconpl-gd2_0.9.6.9-git20120606-2_amd64.deb
 c4d5687110832f4fc8072c2ae8c54f16 617906 devel optional falconpl-gtk_0.9.6.9-git20120606-2_amd64.deb
 d8f7fb6f9607bf86076f752f045d7ace 143272 devel optional falconpl-sdl_0.9.6.9-git20120606-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDar50ACgkQoRg/jtECjI2JmgCdHNso71CJnKy75EpIt9kim1K/
1pIAnjLiqRvovkCisaSVmsiMEE+Yxn4H
=0a61
-----END PGP SIGNATURE-----




Changed Bug title to 'falconpl: CVE-2012-6070: possible security issue due to misuse of the libcurl API' from 'falconpl: possible security issue due to misuse of the libcurl API' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Tue, 15 Jan 2013 22:21:10 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 13 Feb 2013 07:27:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:57:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.