348003 – (CVE-2010-4334) <dev-perl/IO-Socket-SSL-1.35: Verification Bypass Vulnerability (CVE-2010-4334)

Bug 348003 (CVE-2010-4334) - <dev-perl/IO-Socket-SSL-1.35: Verification Bypass Vulnerability (CVE-2010-4334)

Summary: <dev-perl/IO-Socket-SSL-1.35: Verification Bypass Vulnerability (CVE-2010-4334)

Status:	RESOLVED FIXED

Alias:	CVE-2010-4334

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://cpansearch.perl.org/src/SULLR/...
Whiteboard:	A4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-12-07 04:58 UTC by Tim Sammut (RETIRED)
Modified:	2011-02-23 22:50 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2010-12-07 04:58:06 UTC

From $URL:

v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
  verified as valid it will no longer fall back to VERIFY_NONE but throw
  an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
  pointing out the problem, see also 
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058

From the Secunia advisory at http://secunia.com/advisories/42508/:

A security issue has been reported in Perl IO::Socket::SSL, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to IO::Socket::SSL silently falling back to the "VERIFY_NONE" verification mode if another verification mode is defined but no valid ca_file or ca_path is provided. This can be exploited to e.g. bypass the expected verification mode and conduct spoofing attacks.

Comment 1 Torsten Veller (RETIRED) gentoo-dev

2010-12-07 08:15:20 UTC

dev-perl/IO-Socket-SSL-1.35 is in the tree now

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2010-12-07 14:14:16 UTC

Arches, please test and mark stable:
=dev-perl/IO-Socket-SSL-1.35
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 3 Agostino Sarubbo gentoo-dev

2010-12-07 14:38:53 UTC

well on my x86

(*)my amd64 machine is down at the moment :)

Comment 4 Thomas Kahle (RETIRED) gentoo-dev

2010-12-07 17:09:33 UTC

x86 done. Thanks agostino.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2010-12-07 17:38:43 UTC

Stable for HPPA.

Comment 6 Alex Buell 2010-12-07 17:53:29 UTC

Tested OK on SPARC, passed all its tests. Can stabilise.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2010-12-07 18:03:45 UTC

Stable for PPC.

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2010-12-07 22:07:35 UTC

This has been assigned CVE-2010-4334.

http://www.openwall.com/lists/oss-security/2010/12/07/4

Comment 9 Markus Meier gentoo-dev

2010-12-08 16:45:30 UTC

arm stable

Comment 10 Agostino Sarubbo gentoo-dev

2010-12-08 19:25:33 UTC

amd64 ok

Comment 11 Brent Baude (RETIRED) gentoo-dev

2010-12-10 19:42:21 UTC

ppc64 done

Comment 12 Markos Chandras (RETIRED) gentoo-dev

2010-12-10 21:43:12 UTC

amd64 done. Thanks Agostino

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2010-12-12 17:05:30 UTC

alpha/ia64/s390/sh/sparc stable

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2010-12-13 01:13:41 UTC

GLSA Vote: No.

Comment 15 Stefan Behte (RETIRED) gentoo-dev

2011-02-23 22:50:19 UTC

GLSA Vote: no, closing noglsa.