Re: Certificate validation vulnerability in Git

[Andreas Ericsson <ae@op5.se>]

On 02/24/2013 06:31 PM, Zubin Mithra wrote:
> Hello,
> 
> There seems to be a security issue in the way git uses openssl for
> certificate validation. Similar occurrences have been found and
> documented in other open source projects, the research can be found at
> [1].
> 
> -=========]
> - imap-send.c
> 
> Line 307
> 
>   307   ret = SSL_connect(sock->ssl);
>   308   if (ret <= 0) {
>   309     socket_perror("SSL_connect", sock, ret);
>   310     return -1;
>   311   }
>   312
> 
> Certificate validation errors are signaled either through return
> values of SSL_connect or by setting internal flags. The internal flags
> need to be checked using the SSL_get_verify_result function. This is
> not performed.
> 
> Kindly fix these issues, file a CVE and credit it to Dhanesh K. and
> Zubin Mithra. Thanks.
> 

The lack of certificate authority verification presents no attack vector
for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll
be credited with a "reported-by" line in the commit message if someone
decides to fix it though. Personally, I'm not fussed.

> We are not subscribed to this list, so we'd appreciate it if you could
> CC us in the replies.
> 

That's standard on this list. Please follow the same convention if/when
you reply. Thanks.

-- 
Andreas Ericsson                   andreas.ericsson@op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.