Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <r2z9e1e2b1f1004261248pf702bb0ez705b8c7d401a8eef@mail.gmail.com>
Date: Mon, 26 Apr 2010 21:48:29 +0200
From: Wouter Coekaerts <coekie@...si.org>
To: Jamie Strandboge <jamie@...onical.com>
Cc: oss-security <oss-security@...ts.openwall.com>, 
	Steve Langasek <steve.langasek@...onical.com>
Subject: Re: Re: CVE request: irssi 0.8.15

On Sat, Apr 17, 2010 at 11:37 PM, Jamie Strandboge <jamie@...onical.com> wrote:
> However, after rolling it out Steve Langasek discovered a bug when
> connecting to an SSL irc proxy server[1]. His patch (attached) adjusts
> it so when we have a proxy setting, expect the CN to match the proxy
> hostname, not the server hostname

Irssi doesn't have any SSL proxy support. So at first sight, this
seemed like a bugfix for a non-existing feature. Looking at it again,
it seems worse.

There is not much explanation in the linked bug, so I'm making some
assumptions. Correct me if they're wrong.
What you can do in irssi, is configure a proxy, and then attempt to
connect to an SSL IRC server through that proxy. Unfortunately, irssi
currently can't do that, because there is a bug (not a vulnerability)
in irssi that in that case makes it send the configured "proxy_string"
encrypted in SSL instead of in plain text. This misbehaviour could be
used in an akward setup to connect to a proxy that requires SSL, by
pretending to connect to an SSL irc server. To do that you would have
to enable SSL when connecting to the server, even when it's not an SSL
server. By looking at the code, I suspect the patch is about making
that setup work without getting certificate checking errors. Is that
correct?

Because it's more familiar, maybe it's more clear in the webbrowser
equivalent: it is like configuring an http proxy in your browser,
without saying that it requires SSL. Then you surf to
https://example.com, encrypting your connection to the proxy, but
letting the proxy get http://example.com.

It is intended behaviour in irssi that the certificate check fails
here. This patch makes that check pass. That means the proxy is kind
of always doing a MITM attack. The user is given the impression he is
securely connecting to an IRC server, but his actual IRC connection
(between proxy and irc server) is plain text.

To me this additional patch looks like a security vulnerability.

Regards,

Wouter.

PS: I'd comment on launchpad, but my account seems to be blocked.

> [1] https://bugs.launchpad.net/ubuntu/+source/irssi/+bug/565182

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.