Bug 15158 - hexchat does not verify SSL certificates (CVE-2013-7449)
Summary: hexchat does not verify SSL certificates (CVE-2013-7449)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/632256/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-29 23:48 CET by David Walser
Modified: 2016-04-07 13:50 CEST (History)
5 users (show)

See Also:
Source RPM: hexchat-2.9.6.1-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-29 23:48:29 CET
A CVE was requested for a security issue fixed upstream in hexchat:
http://openwall.com/lists/oss-security/2015/01/29/23

If I understand the upstream bug report correctly, this was fixed in 2.9.8, so Cauldron should be OK.  The message above links the upstream commit that fixed it.

Apparently xchat and xchat-gnome are affected too.  Xchat is dead upstream and probably won't be fixed unless someone makes a patch.  I'm not sure about xchat-gnome.

Reproducible: 

Steps to Reproduce:
Comment 1 Sander Lepik 2015-01-30 13:03:54 CET
I have uploaded a patched package for Mageia 4.

Not sure how to test the hostname validation so I think you should just test that it still works (testing myself on x86_64 and seems to work OK).

Suggested advisory:
========================

This update fixes the following security vulnerability:

HexChat did not verify that the server hostname matched the domain name in 
the subject's Common Name (CN) or subjectAltName field in X.509 
certificates. This could allow a man-in-the-middle attacker to spoof an 
SSL server if they had a certificate that was valid for any domain name.

References:
http://openwall.com/lists/oss-security/2015/01/29/23
https://github.com/hexchat/hexchat/issues/524

========================

Updated packages in core/updates_testing:
========================
hexchat-2.9.6.1-3.1.mga4
hexchat-checksum-2.9.6.1-3.1.mga4
hexchat-devel-2.9.6.1-3.1.mga4
hexchat-doat-2.9.6.1-3.1.mga4
hexchat-fishlim-2.9.6.1-3.1.mga4
hexchat-perl-2.9.6.1-3.1.mga4
hexchat-python-2.9.6.1-3.1.mga4
hexchat-sysinfo-2.9.6.1-3.1.mga4

Source RPM: 
hexchat-2.9.6.1-3.1.mga4.src.rpm

Assignee: mageia => qa-bugs
Hardware: i586 => All

Comment 2 claire robinson 2015-01-30 13:06:55 CET
Are you using SSL connection Sander?
Comment 3 Sander Lepik 2015-01-30 13:20:45 CET
(In reply to claire robinson from comment #2)
> Are you using SSL connection Sander?

I don't think so :) Someone should test with SSL too.

CC: (none) => mageia

Comment 4 olivier charles 2015-01-31 10:16:33 CET
Testing on Mageia4x32, real hardware

From current packages :
---------------------
- hexchat-2.9.6.1-3.mga4.i586
- hexchat-checksum-2.9.6.1-3.mga4.i586
- hexchat-devel-2.9.6.1-3.mga4.i586
- hexchat-doat-2.9.6.1-3.mga4.i586
- hexchat-fishlim-2.9.6.1-3.mga4.i586
- hexchat-perl-2.9.6.1-3.mga4.i586
- hexchat-python-2.9.6.1-3.mga4.i586
- hexchat-sysinfo-2.9.6.1-3.mga4.i586

Connected to a network using an SSL-connection
(irc.barafranca.com/+6679)
On connecting, hexchat window showed :
(...)
* * Certification info:
*   Subject:
*     OU=Domain Control Validated
*     CN=irc.barafranca.com
*   Issuer:
*     C=US
*     ST=Arizona
*     L=Scottsdale
*     O=GoDaddy.com, Inc.
*     OU=http:
*     
*     certificates.godaddy.com
*     repository
*     CN=Go Daddy Secure Certification Authority
*     serialNumber=07969287
*   Public key algorithm: rsaEncryption (2048 bits)
*   Sign algorithm sha1WithRSAEncryption
*   Valid since Jun  3 12:27:53 2013 GMT to Jun  3 12:27:53 2015 GMT
* * Cipher info:
*   Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits)
(...)
*** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1"

Updated to testing packages :
---------------------------

- hexchat-2.9.6.1-3.1.mga4.i586
- hexchat-checksum-2.9.6.1-3.1.mga4.i586
- hexchat-devel-2.9.6.1-3.1.mga4.i586
- hexchat-doat-2.9.6.1-3.1.mga4.i586
- hexchat-fishlim-2.9.6.1-3.1.mga4.i586
- hexchat-perl-2.9.6.1-3.1.mga4.i586
- hexchat-python-2.9.6.1-3.1.mga4.i586
- hexchat-sysinfo-2.9.6.1-3.1.mga4.i586

   Subject:
*     OU=Domain Control Validated
*     CN=irc.barafranca.com
*   Issuer:
*     C=US
*     ST=Arizona
*     L=Scottsdale
*     O=GoDaddy.com, Inc.
*     OU=http:
*     
*     certificates.godaddy.com
*     repository
*     CN=Go Daddy Secure Certification Authority
*     serialNumber=07969287
*   Public key algorithm: rsaEncryption (2048 bits)
*   Sign algorithm sha1WithRSAEncryption
*   Valid since Jun  3 12:27:53 2013 GMT to Jun  3 12:27:53 2015 GMT
* * Cipher info:
*   Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits)

Connected to same network using SSL-connection
 *** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1"

which showed I was using an SSL-connection.
Doesn't know how to test it verifies the Certificate Common Name since messages are the same.
Basic usage of hexchat all OK.

CC: (none) => olchal

Comment 5 William Kenney 2015-02-03 18:33:06 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
hexchat

default install of hexchat

[root@localhost wilcal]# urpmi hexchat
Package hexchat-2.9.6.1-3.mga4.i586 is already installed

Hexchat desktop UI opens,
connnects to freenode then to the Mageia channel

install hexchat from updates_testing

[root@localhost wilcal]# urpmi hexchat
Package hexchat-2.9.6.1-3.1.mga4.i586 is already installed

Hexchat desktop UI opens,
connnects to freenode then to the Mageia channel

hexchat-checksum, hexchat-devel, hexchat-devel, hexchat-doat,
hexchat-fishlim, hexchat-perl, hexchat-python, hexchat-sysinfo
all 2.9.6.1-3.1, all installed without error

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK

Comment 6 William Kenney 2015-02-03 18:56:20 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
hexchat

default install of hexchat

[root@localhost wilcal]# urpmi hexchat
Package hexchat-2.9.6.1-3.mga4.x86_64 is already installed

Hexchat desktop UI opens,
connnects to freenode then to the Mageia channel

install hexchat from updates_testing

[root@localhost wilcal]# urpmi hexchat
Package hexchat-2.9.6.1-3.1.mga4.x86_64 is already installed

Hexchat desktop UI opens,
check "Use SSL for all the servers on this network"
connnects to freenode with the SSL cert then to the Mageia channel

hexchat-checksum, hexchat-devel, hexchat-devel, hexchat-doat,
hexchat-fishlim, hexchat-perl, hexchat-python, hexchat-sysinfo
all 2.9.6.1-3.1, all installed without error

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2015-02-03 18:57:04 CET

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 7 William Kenney 2015-02-03 19:01:34 CET
In VirtualBox, M4, KDE, 32-bit

[root@localhost wilcal]# urpmi hexchat
Package hexchat-2.9.6.1-3.1.mga4.i586 is already installed

Hexchat desktop UI opens,
check "Use SSL for all the servers on this network"
connnects to freenode with the SSL cert then to the Mageia channel
Comment 8 William Kenney 2015-02-03 19:02:16 CET
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Rémi Verschelde 2015-02-04 11:57:56 CET
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Comment 10 Mageia Robot 2015-02-05 23:26:42 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0050.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2015-02-06 18:26:45 CET

URL: (none) => http://lwn.net/Vulnerabilities/632256/

Comment 11 David Walser 2016-04-07 13:50:54 CEST
CVE-2013-7449 has been assigned for this:
http://openwall.com/lists/oss-security/2016/04/06/2

Summary: hexchat does not verify SSL certificates => hexchat does not verify SSL certificates (CVE-2013-7449)


Note You need to log in before you can comment on or make changes to this bug.