Bug 855579 (CVE-2013-7110) - VUL-0: CVE-2013-7110: transifex-client: incomplete fix
Summary: VUL-0: CVE-2013-7110: transifex-client: incomplete fix
Status: RESOLVED FIXED
Alias: CVE-2013-7110
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-16 09:00 UTC by Sebastian Krahmer
Modified: 2014-05-28 13:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-12-16 09:00:48 UTC 
rh#1043002



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1043002
Comment 1 Swamp Workflow Management 2013-12-16 23:00:19 UTC 
bugbot adjusting priority
Comment 2 Sebastian Krahmer 2013-12-17 09:17:02 UTC 
CVE-2013-7110
Comment 3 Tomáš Chvátal 2013-12-18 10:14:01 UTC 
I checked the git and the upstream does not yet have a solution.

Also the package uses bundled urllib3. When I make it use system one it seems to fail properly, but I dunno if it won't stop working somewhere else in the code...

Anyway I commited it to the devel project so if anyone could verify if it is sufficient just create MR from it.

https://build.opensuse.org/package/rdiff/devel:languages:python/transifex-client?linkrev=base&rev=10
Comment 4 Sebastian Krahmer 2014-01-13 10:58:25 UTC 
My understanding of urllib3 is that this patch probably is not
sufficient. Basically it boild down to:

+    conn = urllib3.connection_from_url(kwargs['hostname'])
+    headers = urllib3.util.make_headers(
+        basic_auth='{0}:{1}'.format(username, password),
+        accept_encoding=True,
+        user_agent=user_agent_identifier(),
+    )

...

+        r = conn.request('GET', url, headers=headers)
+        remote_project = parse_json(r.data)
+        r.close()
+        return remote_project
+    except ssl.SSLError:
+        logger.error("Invalid SSL certificate")
+        raiseconnection_from_url


Stepping down connection_from_url() it looks like you have to pass

a) cert_reqs,

   to force underlying openssl module to check peer certificates
   at all, and

b) ca_certs,

   so openssl module can set the verify-path for the trusted CA-chain.

As both parameters default to None, there is basically no action done
if the peer presents no certificate at all, or it can present you
a X509 certificate signed by anyone (including self-signed),
just the hostname has to match.

(connection_from_url() passes down to HTTPSConnectionPool(), missing
to pass the required above arguments)

So, the answer is: No the patch doesnt work for us :)
Comment 5 Sebastian Krahmer 2014-01-13 11:01:40 UTC 
Basically I wonder if transiflex-client is really such an important
package. Anyway, by adding cert_reqs parameter to ssl.CERT_REQUIRED
and ca_certs to our system CA-bundle path, it should work.
Comment 6 Bernhard Wiedemann 2014-03-20 13:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (855579) was mentioned in
https://build.opensuse.org/request/show/226858 Factory / transifex-client
Comment 7 Bernhard Wiedemann 2014-03-20 16:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (855579) was mentioned in
https://build.opensuse.org/request/show/226885 Factory / transifex-client
Comment 8 Tomáš Chvátal 2014-05-28 12:06:59 UTC 
I added 0.11.lbeta and submitted it to the factory and based on what upstream says it should really be fixed. So please recheck and close this ;)
Comment 9 Sebastian Krahmer 2014-05-28 13:10:11 UTC 
Checking the git clone it looks like they are exactly
using connection_from_url() as mentioned in comment#5 which
fixes the issue.