ubuntuone-client doesn't validate ssl certificates

This is a patch for lp:ubuntuone-client/stable-2-0 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-4

This is a patch for lp:ubuntuone-client/stable-1-6 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-2

This is a patch for lp:ubuntuone-client/stable-1-4 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-0

This is a patch for lp:ubuntuone-client/stable-1-2 that *does not* depend on any ubuntu-sso-client versions, because there was none at the time.

Thanks for the patches, I'll work on security updates for this. Do not commit publically until the security updates have been published. Thanks!

This is CVE-2011-4409

OK, after testing the patches and looking some more through the code, it
appears there are still some certificate validation issues:

On Lucid-Oneiric:
ubuntuone/syncdaemon/action_queue.py:

Uses twisted.internet.reactor.connectSSL. Unfortunately, connectSSL does
not validate the hostname against the certificate commonName (and subject
alternative names) itself, it is up to the application to enforce this.

ubuntuone-client must add this check, or a MITM can simply use any valid
certificate issued by a CA.

On Maverick:
ubuntuone/api/restclient.py: still uses urllib2 to open https connections
without proper certificate validation.

On Lucid:
bin/ubuntuone-preferences: uses httplib to open https connections without
proper certificate validation.

ubuntuone/oauthdesktop/auth.py: used httplib to open https connections.
Seems to validate certificates, but doesn't validate hostname against them.

Hi Marc, thanks for your very detailed report.
We'll work on fixing those issues too.

Hi! Any progress on this? Thanks

Hi Marc, we are now resuming the work on this bug.
Sorry for the delay; we were finishing some other work that had to make it in precise.

Thanks! :)

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

I'm adding new versions of the patches, that include fixes for the twisted connectSSL as used by the code in the projects ubuntuone-client and ubuntuone-storage-protocol.

This is a patch for lp:ubuntuone-client/stable-1-6 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-2 and on the fix for lp:ubuntuone-client-protocol/stable1-6

This is a patch for lp:ubuntuone-client/stable-2-0 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-4 and on the fix for lp:ubuntuone-client-protocol/stable-2-0

In comments #15 and #17, I meant "lp:ubuntuone-storage-protocol/stable-..."

This is a patch for lp:ubuntuone-client/stable-3-0 that depends *only* on the fix for lp:ubuntuone-storage-protocol/stable-3-0

This is a patch for lp:ubuntuone-client/stable-1-2 that depends *only* on the fix for lp:ubuntuone-storage-protocol/stable-1-2

The above patches for Lucid also fix the issues with bin/ubuntuone-preferences and ubuntuone/oauthdesktop/auth.py
Please let me know if there's any further correction to be done.

Thanks!

Alejandro, I've hit a snag while building the precise ubuntuone-storage-protocol update:

dh --with=python2 clean
   dh_testdir
   dh_auto_clean
Traceback (most recent call last):
  File "setup.py", line 29, in <module>
    from ubuntuone.storageprotocol.context import ssl_cert_location
  File "/home/mdeslaur/work/ubuntuone-storage-protocol/precise/ubuntuone-storage-protocol-3.0.0/ubuntuone/storageprotocol/context.py", line 63, in <module>
    'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
IOError: [Errno 2] No such file or directory: '/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem'
dh_auto_clean: python setup.py clean -a returned exit code 1
make: *** [clean] Error 1

setup.py causes the cert to be imported, but it cannot be imported while the package builds.

On 05/25/2012 12:27 PM, Marc Deslauriers wrote:
> Alejandro, I've hit a snag while building the precise ubuntuone-storage-
> protocol update:
>
> dh --with=python2 clean
> dh_testdir
> dh_auto_clean
> Traceback (most recent call last):
> File "setup.py", line 29, in <module>
> from ubuntuone.storageprotocol.context import ssl_cert_location
> File "/home/mdeslaur/work/ubuntuone-storage-protocol/precise/ubuntuone-storage-protocol-3.0.0/ubuntuone/storageprotocol/context.py", line 63, in <module>
> 'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
> IOError: [Errno 2] No such file or directory: '/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem'
> dh_auto_clean: python setup.py clean -a returned exit code 1
> make: *** [clean] Error 1
>
> setup.py causes the cert to be imported, but it cannot be imported while
> the package builds.

Hi Marc, thanks for bringing this to my attention.

I'm on a National Holiday today, so I'll fix it first thing monday morning.

cheers,
--
alecu

This patch should fix the problem where certificates tried to be load while building the package.

This bug was fixed in the package ubuntuone-storage-protocol - 3.0.0-0ubuntu1.1

---------------
ubuntuone-storage-protocol (3.0.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 13:58:05 -0400

This bug was fixed in the package ubuntuone-client - 3.0.0-0ubuntu1.1

---------------
ubuntuone-client (3.0.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use correct URL in
      data/syncdaemon.conf, send hostname for validation in
      ubuntuone/syncdaemon/action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol dependency to
      security update.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 14:07:53 -0400

This bug was fixed in the package ubuntuone-storage-protocol - 2.0.1-0ubuntu1.1

---------------
ubuntuone-storage-protocol (2.0.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 14:50:00 -0400

This bug was fixed in the package ubuntuone-client - 2.0.1-0ubuntu1.1

---------------
ubuntuone-client (2.0.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 and
      send hostname for validation in ubuntuone/syncdaemon/action_queue.py,
      use correct URL in data/syncdaemon.conf, use pycurl instead of
      urllib2 in tests/syncdaemon/test_action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol and
      ubuntu-sso-client dependencies to security updates.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:23:53 -0400

This bug was fixed in the package ubuntuone-storage-protocol - 1.6.1-0ubuntu1.2

---------------
ubuntuone-storage-protocol (1.6.1-0ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:34:32 -0400

This bug was fixed in the package ubuntuone-client - 1.6.2-0ubuntu2.1

---------------
ubuntuone-client (1.6.2-0ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 and
      send hostname for validation in ubuntuone/syncdaemon/action_queue.py,
      use correct URL in data/syncdaemon.conf, use pycurl instead of
      urllib2 in tests/syncdaemon/test_action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol and
      ubuntu-sso-client dependencies to security updates.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:39:24 -0400

This bug was fixed in the package ubuntuone-storage-protocol - 1.2.0-0ubuntu1.1

---------------
ubuntuone-storage-protocol (1.2.0-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:46:00 -0400

This bug was fixed in the package ubuntuone-client - 1.2.2-0ubuntu2.2

---------------
ubuntuone-client (1.2.2-0ubuntu2.2) lucid-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 in
      bin/ubuntuone-preferences, tests/syncdaemon/test_action_queue.py,
      use pycurl instead of urllib2 and send hostname for validation in
      ubuntuone/syncdaemon/action_queue.py, use correct URL in
      data/syncdaemon.conf, correctly verify hostname in
      ubuntuone/oauthdesktop/auth.py, send hostname for validation in
      ubuntuone/u1sync/client.py, use pycurl instead of urllib2 in
      ubuntuone/utils/*, ship utils directory in Makefile.*.
    - debian/python-ubuntuone-client.install: also ship new utils
      directory.
    - debian/control: bump python-ubuntuone-storageprotocol dependency to
      security update.
    - debian/control: add python-pycurl dependency.
    - debian/rules: remove simple-patchsys.mk as this is a quilt package.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Thu, 31 May 2012 10:47:06 -0400

The attachment "Fix for ubuntuone-storage-protocol in Natty" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

This bug was fixed in the package ubuntuone-storage-protocol - 3.99.0-0ubuntu1

---------------
ubuntuone-storage-protocol (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Use both the cpp and python protobuf implementations when running
      the test suite. (LP: #988362)
    - Be more strict when validating the SSL certificate. (LP: #882062)
    - CVE-2011-4409
  * 00_fix_tests.patch:
    - Backport patch from upstream trunk to fix tests. (LP: #1011666)
  * debian/control:
    - Update build dependencies for running tests.
    - Remove python-xdg binary dependency as it isn't used any longer.
  * debian/rules:
    - Fix argument ordering for dh.
    - Run the tests when building the package.
  * debian/watch:
    - Update the watch file to use stable-4-0 series for Quantal.
 -- Rodney Dawes <email address hidden> Mon, 11 Jun 2012 15:47:19 -0400

This bug was fixed in the package ubuntuone-client - 3.99.0-0ubuntu1

---------------
ubuntuone-client (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Use dbus.Dictionary to pass empty dicts. (LP: #711162)
    - Ignore IN_CLOSE_WRITE for directories. (LP: #872894)
    - Validate SSL certificates better. (LP: #882062, LP: #1014654)
    - Ignore .goutputstream temporary flies. (LP: #1012620)
    - Handle failures better in share creation. (LP: #1013180)
    - Re-upload files when server reports empty hash. (LP: #1013401)
  * debian/control:
    - Update some build dependencies in preparation for testing during builds,
      and to allow building on older supported versions of Ubuntu.
  * debian/watch:
    - Update to use stable-4-0 series for Quantal releases.
 -- Rodney Dawes <email address hidden> Tue, 19 Jun 2012 16:58:05 -0400