Bug#1087411: marked as done (bookworm-pu: package icinga2/2.13.6-2+deb12u2)

Debian Bug Tracking System Sat, 11 Jan 2025 03:10:34 -0800

Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <e1twzgn-009jyj...@coccia.debian.org>
and subject line Close 1087411
has caused the Debian Bug report #1087411,
regarding bookworm-pu: package icinga2/2.13.6-2+deb12u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1087411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087411
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: icin...@packages.debian.org
Control: affects -1 + src:icinga2
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Fix certificate validation bypass for JSON-RPC and HTTP API connections. 
(CVE-2024-49369)

[ Impact ]
Cluster nodes can be impersonated.

[ Tests ]
Upstream test suite.

[ Risks ]
Low, same change deployed upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The patch cherry-picks the upstream commit from the 2.13 branch.

[ Other info ]
N/A

diff -Nru icinga2-2.13.6/debian/changelog icinga2-2.13.6/debian/changelog
--- icinga2-2.13.6/debian/changelog     2024-04-06 14:02:31.000000000 +0200
+++ icinga2-2.13.6/debian/changelog     2024-11-12 18:57:26.000000000 +0100
@@ -1,3 +1,11 @@
+icinga2 (2.13.6-2+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * Add upstream patch to fix CVE-2024-49369.
+    (closes: #1087384)
+
+ -- Bas Couwenberg <sebas...@debian.org>  Tue, 12 Nov 2024 18:57:26 +0100
+
 icinga2 (2.13.6-2+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru icinga2-2.13.6/debian/patches/CVE-2024-49369.patch 
icinga2-2.13.6/debian/patches/CVE-2024-49369.patch
--- icinga2-2.13.6/debian/patches/CVE-2024-49369.patch  1970-01-01 
01:00:00.000000000 +0100
+++ icinga2-2.13.6/debian/patches/CVE-2024-49369.patch  2024-11-12 
18:57:11.000000000 +0100
@@ -0,0 +1,122 @@
+Description: Security: fix TLS certificate validation bypass
+ .
+ The previous validation in set_verify_callback() could be bypassed, tricking
+ Icinga 2 into treating invalid certificates as valid. To fix this, the
+ validation checks were moved into the IsVerifyOK() function.
+ .
+ This is tracked as CVE-2024-49369, more details will be published at a later 
time.
+Author: Julian Brost <julian.br...@icinga.com>
+Origin: 
https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe
+Forwarded: not-needed
+
+--- a/lib/base/tlsstream.cpp
++++ b/lib/base/tlsstream.cpp
+@@ -18,14 +18,48 @@
+ 
+ using namespace icinga;
+ 
+-bool UnbufferedAsioTlsStream::IsVerifyOK() const
++/**
++ * Checks whether the TLS handshake was completed with a valid peer 
certificate.
++ *
++ * @return true if the peer presented a valid certificate, false otherwise
++ */
++bool UnbufferedAsioTlsStream::IsVerifyOK()
+ {
+-      return m_VerifyOK;
++      if (!SSL_is_init_finished(native_handle())) {
++              // handshake was not completed
++              return false;
++      }
++
++      if (GetPeerCertificate() == nullptr) {
++              // no peer certificate was sent
++              return false;
++      }
++
++      return SSL_get_verify_result(native_handle()) == X509_V_OK;
+ }
+ 
+-String UnbufferedAsioTlsStream::GetVerifyError() const
++/**
++ * Returns a human-readable error string for situations where IsVerifyOK() 
returns false.
++ *
++ * If the handshake was completed and a peer certificate was provided,
++ * the string additionally contains the OpenSSL verification error code.
++ *
++ * @return string containing the error message
++ */
++String UnbufferedAsioTlsStream::GetVerifyError()
+ {
+-      return m_VerifyError;
++      if (!SSL_is_init_finished(native_handle())) {
++              return "handshake not completed";
++      }
++
++      if (GetPeerCertificate() == nullptr) {
++              return "no peer certificate provided";
++      }
++
++      std::ostringstream buf;
++      long err = SSL_get_verify_result(native_handle());
++      buf << "code " << err << ": " << X509_verify_cert_error_string(err);
++      return buf.str();
+ }
+ 
+ std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
+@@ -43,17 +77,17 @@ void UnbufferedAsioTlsStream::BeforeHand
+ 
+       set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
+ 
+-      set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
+-              if (!preverified) {
+-                      m_VerifyOK = false;
+-
+-                      std::ostringstream msgbuf;
+-                      int err = X509_STORE_CTX_get_error(ctx.native_handle());
+-
+-                      msgbuf << "code " << err << ": " << 
X509_verify_cert_error_string(err);
+-                      m_VerifyError = msgbuf.str();
+-              }
+-
++      set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
++              (void) preverified;
++              (void) ctx;
++
++              /* Continue the handshake even if an invalid peer certificate 
was presented. The verification result has to be
++               * checked using the IsVerifyOK() method.
++               *
++               * Such connections are used for the initial enrollment of 
nodes where they use a self-signed certificate to
++               * send a certificate request and receive their valid 
certificate after approval (manually by the administrator
++               * or using a certificate ticket).
++               */
+               return true;
+       });
+ 
+--- a/lib/base/tlsstream.hpp
++++ b/lib/base/tlsstream.hpp
+@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public A
+ public:
+       inline
+       UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
+-              : AsioTcpTlsStream(init.IoContext, init.SslContext), 
m_VerifyOK(true), m_Hostname(init.Hostname)
++              : AsioTcpTlsStream(init.IoContext, init.SslContext), 
m_Hostname(init.Hostname)
+       {
+       }
+ 
+-      bool IsVerifyOK() const;
+-      String GetVerifyError() const;
++      bool IsVerifyOK();
++      String GetVerifyError();
+       std::shared_ptr<X509> GetPeerCertificate();
+ 
+       template<class... Args>
+@@ -97,8 +97,6 @@ public:
+       }
+ 
+ private:
+-      bool m_VerifyOK;
+-      String m_VerifyError;
+       String m_Hostname;
+ 
+       void BeforeHandshake(handshake_type type);
diff -Nru icinga2-2.13.6/debian/patches/series 
icinga2-2.13.6/debian/patches/series
--- icinga2-2.13.6/debian/patches/series        2024-04-06 14:02:31.000000000 
+0200
+++ icinga2-2.13.6/debian/patches/series        2024-11-12 18:55:21.000000000 
+0100
@@ -1,2 +1,3 @@
 21_config_changes
 postgres-checkcommand.patch
+CVE-2024-49369.patch

--- End Message ---

--- Begin Message ---

Version: 12.9
This update has been released as part of 12.9. Thank you for your contribution.

--- End Message ---

Bug#1087411: marked as done (bookworm-pu: package icinga2/2.13.6-2+deb12u2)

Reply via email to