Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Curl insecure usage
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Tue, 27 Nov 2012 17:55:14 -0500 (EST)


Kurt,

My read is that these are fairly straightforward issues, although the number of implementations with this problem may be rather high :-(

opendnssec calls libcurl with an incorrect value "true" that's effectively treated as the number 1, which is an insecure CURLOPT_SSL_VERIFYHOST value. So, opendnssec didn't call the API correctly - so the problem rests with opendnssec.

For the handful of people interested - this is a kind of type confusion or incorrect conversion error that affects a language other than C! Kinda cute.

For PHPcas, this is just calling the API with an insecure CURLOPT_SSL_VERIFYHOST value, period.

So, I'd say that these faulty implementations each deserve their own CVE, instead of a single ID for Curl.

- Steve


On Mon, 26 Nov 2012, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:
Hi, during the triage of the SSL client bugs spotted by the
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian
developer Alessandro Ghedini discovered two more applications using
Curl in an insecure manner:

1. opendnssec (in the eppclient tool)
http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html

 2. PHPcas (used by Moodle e.g.):
https://github.com/Jasig/phpCAS/pull/58

Please assign CVE IDs for these.

Cheers, Moritz


Have these been receiving individual CVE's? I can't find any offhand,
can you provide examples of others?

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQs7giAAoJEBYNRVNeJnmTDM4QALlcub2QiCRwLG6hkUOfpMJa
EbWePTQ2DeShhmnCW1nFrbFQQWpzAQBvJdGmoS45L33ikv3FN5LJKblQ7PTYgHV0
AMluclPdvrF9szXYpAfREga+YlUbrMkzZnR1p3KTApeKaOMqE1gX41+2waXMqL73
I0p/eLalMP35+lNJJZRK2dE9dZ70f7GRCbfOTgvAV+LWWcyxOYm6RnS8iyfW4UIs
j3SFIAVya5xXvsKvlhsXtYQaqXpdlcIXkNUBgtCi1ECXt2kAfQEsdhS6B6fSoWAR
Nw3bFFiYjCpS5Ek+cpeLWNvklKr27JMchYyN7QYIq99U+2vS2uBAv5o8+cas0xzL
I33GhffxhthjROt3zfmv3oQhKgTAMaDSbC781gSxdU0h1xPwFolXq8h6ebJRBPwU
BRtnMpwgvM1Cw9EBSeoEA1+wZH1cahSeghT5GAkedn2F1Qn1CykQlQ/3AvXkohCp
O+uYq++7K4iYTz4Fjk71pTCzoaeLslDts3g0THRUE7AecKp0jREJ7fZp8Y6C8hYO
BEbb7GBphW9wYvRJMOQ7ILQbjfdE1gaSLF1qG2/zdoxmZqmdc6mY7zh8MeS27aUV
YcVeBblMyd+BgVzgDl7ZBcLJgwwH90jysUeG/i2NDlQuDDEP9CFNtfRGzXVNlLM+
0hkHSxVzqagWo/TNFQyn
=s0Km
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault