[Secure-testing-team] Bug#603450: offlineimap: fails check the remote servers ssl certificate is valid

david b db.pub.mail at gmail.com
Sun Nov 14 08:55:23 UTC 2010 

Package: offlineimap
Severity: grave
Tags: security
Justification: user security hole

offlineimap performs absolutely no ssl certificate checking. So users could/can be the victim of a man in the middle attack.
In debian the following bugs exist:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536421 (re certificate expiration)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153240 (re ssl fingerprint checking)

This could be considered a bug in imaplib (http://bugs.python.org/issue10274).
A partial 'fix' is the following(this 'fix' isn't complete and would break connections to servers using self-signed certificates):


WARNING XXX: I haven't tested this 'fix' at all and so it is most likely wrong.

diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index a60242b..c37688c 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -62,7 +62,7 @@ class IMAP4_Tunnel(IMAP4):
         self.infd.close()
         self.outfd.close()
         self.process.wait()
-        
+
 class sslwrapper:
     def __init__(self, sslsock):
         self.sslsock = sslsock
@@ -171,7 +171,7 @@ def new_open_ssl(self, host = '', port = IMAP4_SSL_PORT):
         if last_error != 0:
             # FIXME
             raise socket.error(last_error)
-        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile)
+        self.sslobj = ssl_wrap(self.sock, self.keyfile, self.certfile, cert_reqs=ssl.CERT_REQUIRED, ca_certs="/etc/ssl/certs/ca-certificates.crt")
         self.sslobj = sslwrapper(self.sslobj)



Although, this isn't complete because it will break self-signed certificate using servers and http://bugs.python.org/issue1589 means that it won't provide full protection etc.
Really, what is required is that by default the certificate is checked and perhaps an option is added to bypass the check.

This isn't a new discovery, see [1], but the package provides no warning about this fact. I added a warning too https://github.com/jgoerzen/offlineimap/wiki/ perhaps debian can add a warning (in the package description) until this is fixed.

[0] - http://thread.gmane.org/gmane.mail.imap.offlineimap.general/760

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (900, 'stable'), (650, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

More information about the Secure-testing-team mailing list