Ubuntu
xchat package

[CVE-2013-7449] xchat and derivatives don't validate ssl hostnames

  1. Wily (15.10)
  2. Bug #1565000
Bug #1565000 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hexchat (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
xchat (Ubuntu)
Precise
Won't Fix
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
Wily
Confirmed
Undecided
Unassigned
xchat-gnome (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Wily
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers

Bug Description

http://www.openwall.com/lists/oss-security/2015/01/29/23

XChat did not verify that the server hostname matched the domain name in
the subject's Common Name (CN) or subjectAltName field in X.509
certificates. This could allow a man-in-the-middle attacker to spoof an
SSL server if they had a certificate that was valid for any domain name.

Also applied to hexchat and xchat-gnome.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

https://github.com/hexchat/hexchat/issues/524
https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
https://bugzilla.redhat.com/show_bug.cgi?id=1081839

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Probably want this fix too:
https://github.com/hexchat/hexchat/commit/50463ca8321c39f3966c278ab25ca158404d72f1

Changed in xchat (Ubuntu Xenial):
status: New → Invalid
Changed in xchat-gnome (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in hexchat (Ubuntu Trusty):
status: New → Confirmed
Changed in hexchat (Ubuntu Precise):
status: New → Invalid
Changed in hexchat (Ubuntu Wily):
status: New → Fix Released
Changed in hexchat (Ubuntu Xenial):
status: New → Fix Released
Changed in xchat (Ubuntu Precise):
status: New → Confirmed
Changed in xchat (Ubuntu Trusty):
status: New → Confirmed
Changed in xchat (Ubuntu Wily):
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Revision history for this message
TingPing (tingping) wrote :

Debian removed xchat from their repos and xchat-gnome has been dead for equally long so they should both be removed IMO.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I maintain xchat-gnome in Ubuntu. It's the only one that uses gtk3, and is in the main repo.

xchat has already been removed from Xenial.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu9

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu9) xenial; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 12:39:36 -0400

Changed in xchat-gnome (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Mattia Rizzolo (mapreri) wrote :

Marc, could you also take care of patching hexchat in trusty while you're at it?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hexchat - 2.9.6.1-2ubuntu0.1

---------------
hexchat (2.9.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 19:53:41 -0400

Changed in hexchat (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2

---------------
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:43:49 -0400

Changed in xchat-gnome (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu6.2

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu6.2) wily-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:32:30 -0400

Changed in xchat-gnome (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20110821.e2a400-0.2ubuntu4.3

---------------
xchat-gnome (1:0.30.0~git20110821.e2a400-0.2ubuntu4.3) precise-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:44:25 -0400

Changed in xchat-gnome (Ubuntu Precise):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
no longer affects: hexchat (Ubuntu Precise)
no longer affects: xchat (Ubuntu Xenial)
no longer affects: xchat (Ubuntu)
Mathew Hodson (mhodson)
summary: - xchat-gnome doesn't validate ssl hostnames
+ xchat and derivatives don't validate ssl hostnames
Mattia Rizzolo (mapreri)
summary: - xchat and derivatives don't validate ssl hostnames
+ [CVE-2013-7449] xchat and derivatives don't validate ssl hostnames
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in xchat (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.