1148088 – (CVE-2019-15525) VUL-0: CVE-2019-15525: pw3270: There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1

Bug 1148088 (CVE-2019-15525) - VUL-0: CVE-2019-15525: pw3270: There is Missing SSL Certificate Validation in the pw3270 terminal emulator before version 5.1

Summary: VUL-0: CVE-2019-15525: pw3270: There is Missing SSL Certificate Validation in...

Status:	RESOLVED FIXED

Alias:	CVE-2019-15525

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.1
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/241074/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-08-26 08:21 UTC by Wolfgang Frisch
Modified:	2024-07-04 07:33 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Patch adding a warning window when the host certificate validation fails. (1.09 KB, patch) 2019-08-26 19:45 UTC, Perry Werneck	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-08-26 08:21:39 UTC

CVE-2019-15525

There is Missing SSL Certificate Validation in the pw3270 terminal emulator
before version 5.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15525
https://softwarepublico.gov.br/gitlab/pw3270/principal/compare/efa4ab249821ec351ae986683371043b8ca3c2ea...ff2b10fd56cf1fdae862b44bb0610e20e08de427

Comment 1 Perry Werneck 2019-08-26 12:18:12 UTC

By the description the CVE seens to be related to the old 5.1 version of pw3270; the current version 5.2 (available in https://build.opensuse.org/package/show/X11:terminals/lib3270-5.2) does more checks on the SSL certificate.

Regarding to the security there are major changes in lib3270 planned to version 5.2 including a better way to check for certificate revogation.

Not sure if it's better submit the version 5,2 to Leap 15 or waits for the new version (it will take some time because I usually waits for the cicle of test/deploy before submit to main repos).

Comment 2 Wolfgang Frisch 2019-08-26 15:36:37 UTC

Is it feasible to apply the patch to the current version 5.1 in Leap?
That would be the best option, in my humble opinion.
Then you don't have to rush the release of pw3270-5.2.

Comment 3 Perry Werneck 2019-08-26 19:45:00 UTC

Created attachment 815758 [details]
Patch adding a warning window when the host certificate validation fails.

Comment 4 Perry Werneck 2019-08-26 19:46:27 UTC

(In reply to Wolfgang Frisch from comment #2)
> Is it feasible to apply the patch to the current version 5.1 in Leap?
> That would be the best option, in my humble opinion.
> Then you don't have to rush the release of pw3270-5.2.

Yes; it's feasible; the proposed patch was attached. It's not the same behavior of the latest code but, I thing, it solves the problem by showing a warning popup when the validation fails.

Comment 5 Wolfgang Frisch 2020-01-16 15:28:13 UTC

Not fixed in Leap 15.1 yet.

Comment 6 Alexanre Werneck 2020-01-17 11:58:39 UTC

What's the process to submit the patch or, better, the new version from factory as an update for Leap 15.1?

Comment 7 Wolfgang Frisch 2024-07-04 07:33:24 UTC

(In reply to Alexanre Werneck from comment #6)
> What's the process to submit the patch or, better, the new version from
> factory as an update for Leap 15.1?

I'm sorry for the very late response. The bug had been lost in the ether.
All openSUSE packages of pw3270 have long been fixed.