*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: offlineimap Package: offlineimap Severity: grave Tags: security Justification: user security hole offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack. In debian the following bugs exist: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking) This could be considered a bug in imaplib (http://bugs.python.org/issue10274). A partial 'fix' is the following(this 'fix' isn't complete and would break connections to server's using self-signed certificates): WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong. diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py index a60242b..c37688c 100644 --- a/offlineimap/imaplibutil.py +++ b/offlineimap/imaplibutil.py @@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4): self.infd.close() self.outfd.close() self.process.wait() - + class sslwrapper: def __init__(self, sslsock): self.sslsock = sslsock @@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT): if last_error != 0: # FIXME raise socket.error(last_error) - self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile) + self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt") self.sslobj = sslwrapper(self.sslobj) Although, this isn't complete because it will break self-signed certificate using server's and http://bugs.python.org/issue1589 means that it won't provide full protection etc. Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check. This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning to https://github.com/jgoerzen/offlineimap/wiki/ perhaps ubuntu can add a warning (in the package description) until this is fixed. [1] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760 -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (900, 'stable'), (650, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash ** Affects: offlineimap (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** Description changed: Binary package hint: offlineimap Package: offlineimap Severity: grave Tags: security Justification: user security hole offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack. In debian the following bugs exist: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking) This could be considered a bug in imaplib (http://bugs.python.org/issue10274). A partial 'fix' is the following(this 'fix' isn't complete and would break connections to server's using self-signed certificates): - - WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong. + WARNING XXX: I haven't tested this 'fix' at all and so it is most likely + wrong. diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py index a60242b..c37688c 100644 --- a/offlineimap/imaplibutil.py +++ b/offlineimap/imaplibutil.py @@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4): - self.infd.close() - self.outfd.close() - self.process.wait() - - + self.infd.close() + self.outfd.close() + self.process.wait() + - + - class sslwrapper: - def __init__(self, sslsock): - self.sslsock = sslsock + class sslwrapper: + def __init__(self, sslsock): + self.sslsock = sslsock @@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT): - if last_error != 0: - # FIXME - raise socket.error(last_error) + if last_error != 0: + # FIXME + raise socket.error(last_error) - self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile) + self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt") - self.sslobj = sslwrapper(self.sslobj) - + self.sslobj = sslwrapper(self.sslobj) Although, this isn't complete because it will break self-signed certificate using server's and http://bugs.python.org/issue1589 means that it won't provide full protection etc. Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check. This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning to - https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a + https://github.com/jgoerzen/offlineimap/wiki/ perhaps ubuntu can add a warning (in the package description) until this is fixed. [1] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760 -- System Information: Debian Release: 5.0.6 - APT prefers stable - APT policy: (900, 'stable'), (650, 'testing') + APT prefers stable + APT policy: (900, 'stable'), (650, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash ** Summary changed: - offlineimap: fails check the remote server's ssl certificate is valid + offlineimap: fails to check the remote server's ssl certificate is valid ** Bug watch added: Debian Bug tracker #603450 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603450 -- offlineimap: fails to check the remote server's ssl certificate is valid https://bugs.launchpad.net/bugs/675120 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs