Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359259 (CVE-2011-1428) - <net-irc/weechat-0.3.5: SSL Certificate Validation Security Issue (CVE-2011-1428)
Summary: <net-irc/weechat-0.3.5: SSL Certificate Validation Security Issue (CVE-2011-1...
Status: RESOLVED FIXED
Alias: CVE-2011-1428
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/43543
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-17 10:21 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-06-13 18:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-17 10:21:31 UTC
JD has discovered a security issue in WeeChat, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to the application not verifying the validity of the SSL certificates presented when logging in to a server which does not request a client certificate during the handshake. This can be exploited to spoof a valid server and e.g. conduct Man-in-the-Middle (MitM) attacks.

The security issue is confirmed in version 0.3.4. Other versions may also be affected.

http://secunia.com/advisories/43543
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2011-03-22 16:55:21 UTC
Hmpf I can't find any fix in the GIT repository for now.
Comment 2 Marco Paolone 2011-05-02 09:57:36 UTC
Could be this the fix?

https://savannah.nongnu.org/patch/?7459

This fix has been included in new version (0.3.5-rc2 at the moment, ready for May 15th).
Comment 3 Roc Vallès 2011-05-18 02:05:50 UTC
0.3.5 is out. We should just upgrade to it.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-05-18 02:14:37 UTC
Sure enough, the upstream changelog [1] includes this issue as fixed.

core: fix verification of SSL certificates by calling gnutls verify callback (patch #7459) 

1 http://weechat.org/files/changelog/ChangeLog-0.3.5.html
Comment 5 Tomáš Chvátal (RETIRED) gentoo-dev 2011-05-26 09:11:29 UTC
This is fixed in 0.3.5 version that is in main tree. Feel free to stabilise it if you want (just add arches).
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-05-26 15:49:57 UTC
Arches, please test and mark stable:
=net-irc/weechat-0.3.5
Target keywords : "amd64 ppc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-05-26 18:15:16 UTC
works on amd64.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-27 06:20:16 UTC
ppc stable
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-27 07:16:23 UTC
x86 stable
Comment 10 Tomáš Chvátal (RETIRED) gentoo-dev 2011-05-27 08:01:29 UTC
Amd64 done.

All arches done.

Older version dropped.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-05-27 14:40:13 UTC
Thanks, everyone. GLSA Vote: no.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-27 16:08:13 UTC
NO too, closing noglsa.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:19:52 UTC
CVE-2011-1428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1428):
  Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not
  properly verify that the server hostname matches the domain name of the
  subject of an X.509 certificate, which allows man-in-the-middle attackers to
  spoof an SSL chat server via an arbitrary certificate, related to incorrect
  use of the GnuTLS API.