Debian Bug report logs - #706094
telepathy-idle: CVE-2007-6746: does not verify TLS certificates

version graph

Package: telepathy-idle; Maintainer for telepathy-idle is Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>; Source for telepathy-idle is src:telepathy-idle.

Reported by: Simon McVittie <smcv@debian.org>

Date: Wed, 24 Apr 2013 15:30:07 UTC

Severity: important

Tags: security, upstream

Found in version telepathy-idle/0.1.6-1

Fixed in version telepathy-idle/0.1.15-1

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Wed, 24 Apr 2013 15:30:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2013 15:30:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: telepathy-idle: does not verify TLS certificates properly
Date: Wed, 24 Apr 2013 16:25:46 +0100
Package: telepathy-idle
Version: 0.1.6-1
Severity: important
Tags: upstream

telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
issued by a trusted CA, or that it hasn't expired, or that it matches the
server's hostname.

Additionally, telepathy-idle < 0.1.11 does not do any verification at all.

    S



Added tag(s) security. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 24 Apr 2013 15:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Wed, 24 Apr 2013 16:06:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2013 16:06:17 GMT) Full text and rfc822 format available.

Message #12 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Wed, 24 Apr 2013 17:05:30 +0100
[Message part 1 (text/plain, inline)]
On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
> issued by a trusted CA, or that it hasn't expired, or that it matches the
> server's hostname.

Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
security/s-p-u for wheezy r1.

    S
[0001-Validate-TLS-certificates-Closes-706094.patch (text/x-diff, attachment)]

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Wed, 24 Apr 2013 16:21:20 GMT) Full text and rfc822 format available.

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Wed, 24 Apr 2013 16:21:20 GMT) Full text and rfc822 format available.

Message #17 received at 706094-close@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: 706094-close@bugs.debian.org
Subject: Bug#706094: fixed in telepathy-idle 0.1.15-1
Date: Wed, 24 Apr 2013 16:17:49 +0000
Source: telepathy-idle
Source-Version: 0.1.15-1

We believe that the bug you reported is fixed in the latest version of
telepathy-idle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706094@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated telepathy-idle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 Apr 2013 16:34:58 +0100
Source: telepathy-idle
Binary: telepathy-idle
Architecture: source amd64
Version: 0.1.15-1
Distribution: unstable
Urgency: low
Maintainer: Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 telepathy-idle - IRC connection manager for Telepathy
Closes: 706094
Changes: 
 telepathy-idle (0.1.15-1) unstable; urgency=low
 .
   * Merge from experimental to unstable
   * New upstream release
     - update build-dependencies
     - verifies TLS certificates properly (Closes: #706094)
Checksums-Sha1: 
 7b777da70f56e83fc46073de2b4458ce7149209a 2267 telepathy-idle_0.1.15-1.dsc
 0946ddda5a56decd127cf8256c00e26f8da08e1d 551718 telepathy-idle_0.1.15.orig.tar.gz
 14fbf2024b7ea3c06f11194a997c0dad6bd3b159 5077 telepathy-idle_0.1.15-1.debian.tar.gz
 c7bc6a1e3b358a064414fbcbec0e3f79d8a1ea2f 131486 telepathy-idle_0.1.15-1_amd64.deb
Checksums-Sha256: 
 3ab5aaf1efa42cfba070d302ff2ab475255fb40564aa046b2347c63f6f29ee46 2267 telepathy-idle_0.1.15-1.dsc
 0090679f637a11384332e36526f5f32307eeec7003c0c07e2cb31c2707d2ee4e 551718 telepathy-idle_0.1.15.orig.tar.gz
 0d88ea9cf72c6d7a91b7580bd8f24c447d1e5ffc1ea6266420a1b1ac4d48278f 5077 telepathy-idle_0.1.15-1.debian.tar.gz
 4e6681f6aae7f04e97a85d4917fbc6c5d847248f43a51f624b62d57a81999d31 131486 telepathy-idle_0.1.15-1_amd64.deb
Files: 
 26e094676b8ca5a899fe1daae368d091 2267 net optional telepathy-idle_0.1.15-1.dsc
 56f960ed1d9ed0c01e0b9f7eb68dbebe 551718 net optional telepathy-idle_0.1.15.orig.tar.gz
 2b0e221cb366d1cd878d0a4da92a952f 5077 net optional telepathy-idle_0.1.15-1.debian.tar.gz
 7af98727a3c4dc468b919fa00c3ce527 131486 net optional telepathy-idle_0.1.15-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUXgCQU3o/ypjx8yQAQhYLg/8DkifIKDpkmQ9zG/cvlf/abJ1jeOOtCCF
GUznWD7/P7KQMFxeRFJKNZYe90pE4dFA6KPK8qoKc7dFDldCNEaomAfcGe2n332O
RP40YlIrGbhiiXUP1WlmzHI9t3eWQwlBzbhsyJwMJJTcLiTu2vX4hb/GKs4I7xk6
xOjtGFFdKWhOIWBYohFqE7KsW6iLIM8kyLihWIaVE1swNP2BVYNVRhPG46eljVDr
0JCtehWcZWblQDlQ9gejCb5Wz+P2ZY6FsN1IA8ngAj7Jxa4EzyY/ksWNsZdJb7jz
1pjXHMvahHQoKO01h2IPycD0qS9LognEaj22jPvlhbA8QcoUkuU1zQMM5TiMxXhV
LZDIoiwlcgHROx9m7EtUbQq/PfL1Y9D9slSHDaHSb+seS34rL6gpy0GJnCS1cSMR
ye80KWBnIZmSKYDIxLS9PAVEFeIr/f+0cNYkSRjb2Qj3Wdhyp8hOiXqY4o90zf8L
p5BU2ccYIimRckDafVNFsuLULvs04m49BC6UlOXjgWkut+105LpP6CFR2tq8Ug+a
Hk6EeAv1ss7R2Q9xTS+qa+AHec5Gxpgte8uB20v7BUNF9DmF7rEJKgH+fHuaZfAO
KVe+dqf4OZ1ejGoRJNkmXngbZafqX/ILoTP4s1Gxeug62xvfp9BaEPB5Gkg8kGfl
9bf9cXXL8no=
=pO2Z
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Wed, 24 Apr 2013 16:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2013 16:45:09 GMT) Full text and rfc822 format available.

Message #22 received at 706094@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: security@debian.org, 706094@bugs.debian.org
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Wed, 24 Apr 2013 17:39:59 +0100
[Message part 1 (text/plain, inline)]
On 24/04/13 17:05, Simon McVittie wrote:
> On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
>> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
>> issued by a trusted CA, or that it hasn't expired, or that it matches the
>> server's hostname.
> 
> Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> security/s-p-u for wheezy r1.

Security team: wheezy is vulnerable to this, and has a somewhat older
upstream version than unstable (so it can't migrate that way). How do
you want us to deal with this? I've re-attached the proposed patch for
wheezy for your reference.

I've requested a CVE ID on oss-security.

I don't have a patch for squeeze, which would require implementing
OpenSSL cert-checking in long-superseded code.

I don't think this is RC, particularly for squeeze: IRC is typically
used without SSL, and the telepathy-idle version in squeeze is a pretty
poor IRC implementation in general. It's telling that this is the one
Telepathy component that has never had a stable-branch...

    S
[0001-Validate-TLS-certificates-Closes-706094.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Wed, 24 Apr 2013 19:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2013 19:39:07 GMT) Full text and rfc822 format available.

Message #27 received at 706094@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Simon McVittie <smcv@debian.org>
Cc: security@debian.org, 706094@bugs.debian.org
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Wed, 24 Apr 2013 21:36:27 +0200
[Message part 1 (text/plain, inline)]
On mer., 2013-04-24 at 17:39 +0100, Simon McVittie wrote:
> Security team: wheezy is vulnerable to this, and has a somewhat older
> upstream version than unstable (so it can't migrate that way). How do
> you want us to deal with this? I've re-attached the proposed patch for
> wheezy for your reference.

I guess TPU can be used for that, please synchronize with the release
team. I agree it's not material for a DSA.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Mon, 29 Apr 2013 20:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Mon, 29 Apr 2013 20:15:08 GMT) Full text and rfc822 format available.

Message #32 received at 706094@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Simon McVittie <smcv@debian.org>, 706094@bugs.debian.org
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Mon, 29 Apr 2013 22:14:43 +0200
Control: retitle 706094 telepathy-idle: CVE-2013-2025: does not verify TLS certificates
Control: user debian-security@lists.debian.org
Control: usertags 706094 + tracked

Hi

On Wed, Apr 24, 2013 at 04:25:46PM +0100, Simon McVittie wrote:
> Package: telepathy-idle
> Version: 0.1.6-1
> Severity: important
> Tags: upstream
> 
> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
> issued by a trusted CA, or that it hasn't expired, or that it matches the
> server's hostname.
> 
> Additionally, telepathy-idle < 0.1.11 does not do any verification at all.

CVE assigned for this: CVE-2013-2025

Regards,
Salvatore



Changed Bug title to 'telepathy-idle: CVE-2013-2025: does not verify TLS certificates' from 'telepathy-idle: does not verify TLS certificates properly' Request was from Salvatore Bonaccorso <carnil@debian.org> to 706094-submit@bugs.debian.org. (Mon, 29 Apr 2013 20:15:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Mon, 29 Apr 2013 20:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Mon, 29 Apr 2013 20:51:06 GMT) Full text and rfc822 format available.

Message #39 received at 706094@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 706094@bugs.debian.org
Cc: Simon McVittie <smcv@debian.org>
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Mon, 29 Apr 2013 22:48:43 +0200
Control: retitle 706094 telepathy-idle: CVE-2007-6746: does not verify TLS certificates

Hi Simon

(Even you already know ;-)), changing title again. There is now the
correct CVE assignment for this issue: CVE-2007-6746.

Regards,
Salvatore



Changed Bug title to 'telepathy-idle: CVE-2007-6746: does not verify TLS certificates' from 'telepathy-idle: CVE-2013-2025: does not verify TLS certificates' Request was from Salvatore Bonaccorso <carnil@debian.org> to 706094-submit@bugs.debian.org. (Mon, 29 Apr 2013 20:51:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#706094; Package telepathy-idle. (Wed, 01 May 2013 12:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>. (Wed, 01 May 2013 12:45:09 GMT) Full text and rfc822 format available.

Message #46 received at 706094@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Simon McVittie <smcv@debian.org>
Cc: security@debian.org, 706094@bugs.debian.org
Subject: Re: Bug#706094: telepathy-idle: does not verify TLS certificates properly
Date: Wed, 1 May 2013 14:40:57 +0200
On Wed, Apr 24, 2013 at 05:39:59PM +0100, Simon McVittie wrote:
> On 24/04/13 17:05, Simon McVittie wrote:
> > On Wed, 24 Apr 2013 at 16:25:46 +0100, Simon McVittie wrote:
> >> telepathy-idle < 0.1.15 does not verify that the server's TLS certificate was
> >> issued by a trusted CA, or that it hasn't expired, or that it matches the
> >> server's hostname.
> > 
> > Here is a proposed patch for wheezy, either via t-p-u for wheezy r0 or
> > security/s-p-u for wheezy r1.
> 
> Security team: wheezy is vulnerable to this, and has a somewhat older
> upstream version than unstable (so it can't migrate that way). How do
> you want us to deal with this? I've re-attached the proposed patch for
> wheezy for your reference.
> 
> I've requested a CVE ID on oss-security.
> 
> I don't have a patch for squeeze, which would require implementing
> OpenSSL cert-checking in long-superseded code.
> 
> I don't think this is RC, particularly for squeeze: IRC is typically
> used without SSL, and the telepathy-idle version in squeeze is a pretty
> poor IRC implementation in general. It's telling that this is the one
> Telepathy component that has never had a stable-branch...

Please fix this through a point update for Wheezy post release.

Cheers,
        Moritz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Jun 2013 07:48:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:04:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.