Bug#1123738: TLS certificates for CalDAV servers are always trusted and not checked for validity

John Scott jscott at posteo.net
Sat Dec 20 19:30:13 GMT 2025 

Package: errands
Version: 46.2.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mrvladus/Errands/issues/401
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Having solicited informal opinions from the Debian security mailing list (attached), I'm filing this report to keep an eye on the issue. To summarize, Errands is able to synchronize a user's task and to-do list data using the CalDAV protocol, a superset of HTTP. Credentials may be retrieved from GNOME Online Accounts where setting up CalDAV is already possible, or information can be entered directly in Errands. This consists of a URL (usually HTTPS) and username/password authentication credentials. It is typical for major providers to use HTTP Basic authentication which sends credentials in plain form and relying on TLS to authenticate the server's identity and encrypt data in transit. In its source code, Errands explicitly specifies 'ssl_verify_cert=False' unconditionally when using a Python CalDAV library. It appears this allows it to accept any certificate whatsoever, even from a malicious man-in-the-middle, without notice to the user.
The author doesn't remember why this was needed, but enabling certificate checking works fine for me with a server and my suspicion is the author had a particular service that wasn't doing things properly. Disabling this security check for all users unconditionally and without notice is not an appropriate fix for a compatibility issue. Any genuine client-side bug that would cause certificate verification to unduly fail is most likely in a dependency and is a concern to be separated from Errands.

The author rewrote Errands in C and development focus has shifted there. For Trixie at least, this needs to be handled. I've articulated the risks on the upstream issue to encourage the author to investigate but patching this downstream is trivial. To assess if breakage is likely, a detective might wish to check bug reports for the libraries that Errands depends on (namely the CalDAV one) to see if there are known shortcomings in TLS being handled correctly.

For whatever it's worth, the GNOME ecosystem has decided that disabling TLS certificate verification should never be done in legitimate usage and so (if I recall correctly) GLib/GIO and/or libsoup have been removing any parameters in their API that would allow this to be turned off or making then no-ops. As Errands is part of the GNOME Circle ecosystem and can integrate with GNOME Online Accounts, there is precedent for even a very firm stance on certificate verification.

-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages errands depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.40.0-5
ii  gir1.2-adw-1                                 1.7.6-1~deb13u1
ii  gir1.2-goa-1.0                               3.54.5-1~deb13u1
ii  gir1.2-gtk-4.0                               4.18.6+ds-2
ii  gir1.2-gtksource-5                           5.16.0-1
ii  gir1.2-secret-1                              0.21.7-1
ii  gir1.2-xdp-1.0                               0.9.1-1
ii  python3                                      3.13.5-1
ii  python3-caldav                               1.3.9-1
ii  python3-gi                                   3.50.0-4+b1
ii  python3-pycryptodome                         3.20.0+dfsg-3

errands recommends no packages.

errands suggests no packages.

-- no debconf information
-------------- next part --------------
An embedded message was scrubbed...
From: John Scott <jscott at posteo.net>
Subject: Errands task manager upstream unconditionally disables TLS certificate verification for CalDAV; does this need to be addressed?
Date: Wed, 10 Dec 2025 04:41:30 +0000
Size: 19020
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20251220/aad99f9b/attachment-0001.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20251220/aad99f9b/attachment-0001.sig>

More information about the pkg-gnome-maintainers mailing list