Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 348003 (CVE-2010-4334)

Summary: <dev-perl/IO-Socket-SSL-1.35: Verification Bypass Vulnerability (CVE-2010-4334)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2010-12-07 04:58:06 UTC 
From $URL:

v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
  verified as valid it will no longer fall back to VERIFY_NONE but throw
  an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
  pointing out the problem, see also 
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058

From the Secunia advisory at http://secunia.com/advisories/42508/:

A security issue has been reported in Perl IO::Socket::SSL, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to IO::Socket::SSL silently falling back to the "VERIFY_NONE" verification mode if another verification mode is defined but no valid ca_file or ca_path is provided. This can be exploited to e.g. bypass the expected verification mode and conduct spoofing attacks.
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2010-12-07 08:15:20 UTC 
dev-perl/IO-Socket-SSL-1.35 is in the tree now
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-07 14:14:16 UTC 
Arches, please test and mark stable:
=dev-perl/IO-Socket-SSL-1.35
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2010-12-07 14:38:53 UTC 
well on my x86

(*)my amd64 machine is down at the moment :)
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2010-12-07 17:09:33 UTC 
x86 done. Thanks agostino.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-07 17:38:43 UTC 
Stable for HPPA.
Comment 6 Alex Buell 2010-12-07 17:53:29 UTC 
Tested OK on SPARC, passed all its tests. Can stabilise.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-07 18:03:45 UTC 
Stable for PPC.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-12-07 22:07:35 UTC 
This has been assigned CVE-2010-4334.

http://www.openwall.com/lists/oss-security/2010/12/07/4
Comment 9 Markus Meier gentoo-dev 2010-12-08 16:45:30 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2010-12-08 19:25:33 UTC 
amd64 ok
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-12-10 19:42:21 UTC 
ppc64 done
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2010-12-10 21:43:12 UTC 
amd64 done. Thanks Agostino
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2010-12-12 17:05:30 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2010-12-13 01:13:41 UTC 
GLSA Vote: No.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:50:19 UTC 
GLSA Vote: no, closing noglsa.