[Pkg-nagios-devel] Bug#1087411: bookworm-pu: package icinga2/2.13.6-2+deb12u2

Bas Couwenberg sebastic at xs4all.nl
Wed Nov 13 03:28:06 GMT 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: icinga2 at packages.debian.org
Control: affects -1 + src:icinga2
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Fix certificate validation bypass for JSON-RPC and HTTP API connections. (CVE-2024-49369)

[ Impact ]
Cluster nodes can be impersonated.

[ Tests ]
Upstream test suite.

[ Risks ]
Low, same change deployed upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch cherry-picks the upstream commit from the 2.13 branch.

[ Other info ]
N/A
-------------- next part --------------
diff -Nru icinga2-2.13.6/debian/changelog icinga2-2.13.6/debian/changelog
--- icinga2-2.13.6/debian/changelog	2024-04-06 14:02:31.000000000 +0200
+++ icinga2-2.13.6/debian/changelog	2024-11-12 18:57:26.000000000 +0100
@@ -1,3 +1,11 @@
+icinga2 (2.13.6-2+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add upstream patch to fix CVE-2024-49369.
+    (closes: #1087384)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 12 Nov 2024 18:57:26 +0100
+
 icinga2 (2.13.6-2+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru icinga2-2.13.6/debian/patches/CVE-2024-49369.patch icinga2-2.13.6/debian/patches/CVE-2024-49369.patch
--- icinga2-2.13.6/debian/patches/CVE-2024-49369.patch	1970-01-01 01:00:00.000000000 +0100
+++ icinga2-2.13.6/debian/patches/CVE-2024-49369.patch	2024-11-12 18:57:11.000000000 +0100
@@ -0,0 +1,122 @@
+Description: Security: fix TLS certificate validation bypass
+ .
+ The previous validation in set_verify_callback() could be bypassed, tricking
+ Icinga 2 into treating invalid certificates as valid. To fix this, the
+ validation checks were moved into the IsVerifyOK() function.
+ .
+ This is tracked as CVE-2024-49369, more details will be published at a later time.
+Author: Julian Brost <julian.brost at icinga.com>
+Origin: https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe
+Forwarded: not-needed
+
+--- a/lib/base/tlsstream.cpp
++++ b/lib/base/tlsstream.cpp
+@@ -18,14 +18,48 @@
+ 
+ using namespace icinga;
+ 
+-bool UnbufferedAsioTlsStream::IsVerifyOK() const
++/**
++ * Checks whether the TLS handshake was completed with a valid peer certificate.
++ *
++ * @return true if the peer presented a valid certificate, false otherwise
++ */
++bool UnbufferedAsioTlsStream::IsVerifyOK()
+ {
+-	return m_VerifyOK;
++	if (!SSL_is_init_finished(native_handle())) {
++		// handshake was not completed
++		return false;
++	}
++
++	if (GetPeerCertificate() == nullptr) {
++		// no peer certificate was sent
++		return false;
++	}
++
++	return SSL_get_verify_result(native_handle()) == X509_V_OK;
+ }
+ 
+-String UnbufferedAsioTlsStream::GetVerifyError() const
++/**
++ * Returns a human-readable error string for situations where IsVerifyOK() returns false.
++ *
++ * If the handshake was completed and a peer certificate was provided,
++ * the string additionally contains the OpenSSL verification error code.
++ *
++ * @return string containing the error message
++ */
++String UnbufferedAsioTlsStream::GetVerifyError()
+ {
+-	return m_VerifyError;
++	if (!SSL_is_init_finished(native_handle())) {
++		return "handshake not completed";
++	}
++
++	if (GetPeerCertificate() == nullptr) {
++		return "no peer certificate provided";
++	}
++
++	std::ostringstream buf;
++	long err = SSL_get_verify_result(native_handle());
++	buf << "code " << err << ": " << X509_verify_cert_error_string(err);
++	return buf.str();
+ }
+ 
+ std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
+@@ -43,17 +77,17 @@ void UnbufferedAsioTlsStream::BeforeHand
+ 
+ 	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
+ 
+-	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
+-		if (!preverified) {
+-			m_VerifyOK = false;
+-
+-			std::ostringstream msgbuf;
+-			int err = X509_STORE_CTX_get_error(ctx.native_handle());
+-
+-			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
+-			m_VerifyError = msgbuf.str();
+-		}
+-
++	set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
++		(void) preverified;
++		(void) ctx;
++
++		/* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be
++		 * checked using the IsVerifyOK() method.
++		 *
++		 * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to
++		 * send a certificate request and receive their valid certificate after approval (manually by the administrator
++		 * or using a certificate ticket).
++		 */
+ 		return true;
+ 	});
+ 
+--- a/lib/base/tlsstream.hpp
++++ b/lib/base/tlsstream.hpp
+@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public A
+ public:
+ 	inline
+ 	UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
+-		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname)
++		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname)
+ 	{
+ 	}
+ 
+-	bool IsVerifyOK() const;
+-	String GetVerifyError() const;
++	bool IsVerifyOK();
++	String GetVerifyError();
+ 	std::shared_ptr<X509> GetPeerCertificate();
+ 
+ 	template<class... Args>
+@@ -97,8 +97,6 @@ public:
+ 	}
+ 
+ private:
+-	bool m_VerifyOK;
+-	String m_VerifyError;
+ 	String m_Hostname;
+ 
+ 	void BeforeHandshake(handshake_type type);
diff -Nru icinga2-2.13.6/debian/patches/series icinga2-2.13.6/debian/patches/series
--- icinga2-2.13.6/debian/patches/series	2024-04-06 14:02:31.000000000 +0200
+++ icinga2-2.13.6/debian/patches/series	2024-11-12 18:55:21.000000000 +0100
@@ -1,2 +1,3 @@
 21_config_changes
 postgres-checkcommand.patch
+CVE-2024-49369.patch

More information about the Pkg-nagios-devel mailing list