[Secure-testing-team] Bug#608724: gwibber bypasses certificate checking when providing the login/password for OAuth

Vincent Lefevre vincent at vinc17.net
Mon Jan 3 00:09:06 UTC 2011 

Package: gwibber
Version: 2.91.2-1
Severity: grave
Tags: security
Justification: user security hole

Gwibber bypasses certificate checking when the login/password is
provided, at least to identi.ca.

Here's what I did:

1. Since I revoked Gwibber access for identi.ca a few days ago (by
   mistake: it was listed as an unknown application), I had to
   re-authorize it. For that, I had to provide my login/password.

2. Gwibber still didn't work with identi.ca: Refresh did nothing.

3. With Firefox, I checked on the "Connected applications"
   page that a new application was approved (still listed as
   "Unknown application" BTW, but it could only be Gwibber).
   This means that my login and password were really sent to
   identi.ca.

4. I quit Gwibber.

5. I installed the COMODOHigh-AssuranceSecureServerCA.crt certificate
   as described on:
   http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg2685302.html

6. I restarted Gwibber and did a refresh. It worked!

So, since the needed certificate wasn't installed for Gwibber
(because Refresh didn't work before and worked after its manual
installation) but the login and password had been accepted by
identi.ca before I installed the certificate, this means that
Gwibber didn't do the usual CA certificate checking for the OAuth
part, which is quite critical as this is where the login and
password were sent.

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gwibber depends on:
ii  gnome-keyring           2.30.3-4         GNOME keyring services (daemon and
ii  gwibber-service         2.91.2-1         Open source social networking clie
ii  libjs-jquery            1.4.2-2          JavaScript library for dynamic web
ii  librsvg2-2              2.26.3-1         SAX-based renderer library for SVG
ii  librsvg2-common         2.26.3-1         SAX-based renderer library for SVG
ii  python                  2.6.6-3+squeeze4 interactive high-level object-orie
ii  python-dbus             0.83.1-1         simple interprocess messaging syst
ii  python-egenix-mxdatetim 3.1.3-4          date and time handling routines fo
ii  python-gconf            2.28.1-1         Python bindings for the GConf conf
ii  python-gtk2             2.17.0-4         Python bindings for the GTK+ widge
ii  python-gtkspell         2.25.3-6         Python bindings for the GtkSpell l
ii  python-imaging          1.1.7-2          Python Imaging Library
ii  python-mako             0.3.6-1          fast and lightweight templating fo
ii  python-oauth            1.0.1-2          Python library implementing of the
ii  python-simplejson       2.1.2-1          simple, fast, extensible JSON enco
ii  python-support          1.0.11           automated rebuilding support for P
ii  python-webkit           1.1.8-1          WebKit/Gtk Python bindings
ii  python-wnck             2.30.0-4         Python bindings for the WNCK libra
ii  python-xdg              0.19-2           Python library to access freedeskt

gwibber recommends no packages.

Versions of packages gwibber suggests:
pn  gwibber-themes                <none>     (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list