Bug#961792: balsa: needs to set expected server identity (for CVE-2020-13645)

Daniel Kahn Gillmor dkg at debian.org
Fri Jul 3 23:26:30 BST 2020 

Version: 2.6.1-1
Control: notfound 961792 2.5.6-2
Control: notfound 961792 2.4.12-3+b1

On Thu 2020-06-25 10:18:54 +0100, Simon McVittie wrote:
> On Fri, 29 May 2020 at 11:24:06 +0100, Simon McVittie wrote:
>> If I'm reading https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
>> and related issues correctly, fixing CVE-2020-13645 in glib-networking
>> will break SSL certificate validation in balsa, which is believed to be
>> the only widely-used application that is vulnerable to CVE-2020-13645;
>> the new glib-networking version "fails closed", which if I understand
>> correctly will result in balsa failing to validate any server cert.
>> 
>> In each supported suite, balsa should probably be updated first, and
>> then glib-networking (perhaps with versioned Breaks on the old balsa).
>
> Has anyone who uses balsa had a chance to take a look at this security
> issue? I'd prefer not to team-upload balsa, since I don't use it myself,
> and a balsa user would be able to test it a lot better.

I can confirm that this is a problem for Balsa 2.6.0-2: it cannot
connect to a legitimate IMAP server with sensible TLS credentials when
run against glib-networking 2.64.3-1 (from experimental).

I've uploaded Balsa 2.6.1-1 to unstable, which appears to resolve this
problem.  I've also tested these Balsa versions against an IMAP service
with a certificate mismatch -- they do not "fail open", which is good.

I took a look at the version in debian stable (buster, running balsa
2.5.6-2) and oldstable (stretch, running balsa 2.4.12-3+b1) -- and both
of them correctly fail closed when confronted with a certificate
mismatch.

It appears that older versions of Balsa actually use a (rather
complicated) OpenSSL for the TLS connection.  See
libbalsa/{server,libbalsa}.c for more details.  Upstream adopted
glib-networking/gio in 2.5.7 (see upstream commit
d964df60bbd85b00269da62b99bf2ce57ae442cc, a major internal overhaul),
and the certificate name check failed only on that version or later.

Please mark glib-networking 2.64.3-2 as breaking Balsa versions 2.5.7
through 2.6.0.  If you only care about versions of balsa that are
currently in any release of debian, that would be just:

   Breaks: balsa (= 2.6.0-2)

Hope this helps!

Regards,

        --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20200703/8df6ea11/attachment.sig>

More information about the pkg-gnome-maintainers mailing list