linuxdcpp-team team mailing list archive

Thread
Date

[Bug 991342] Re: KEYP Vulnerability

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: poy <991342@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Apr 2012 16:43:18 -0000
Reply-to: Bug 991342 <991342@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

DC++ follows the spec in this regard; this should be discussed with ADC maintainers to decide whether taking the cert chain into account is indeed necessary.
rev 34 of ADC might be relevant: <http://adc.svn.sourceforge.net/viewvc/adc/trunk/ADC-EXT.txt?r1=34&r2=33&pathrev=34>

is this really a security issue? if 2 peers disagree on their KEYP, the
worse that could happen is a failure to establish the connection. i fail
to see how a third party could exploit this divergence to "sneak a cert
into the chain" while keeping the KEYP intact.

** Changed in: dcplusplus
   Importance: Critical => Low

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/991342

Title:
  KEYP Vulnerability

Status in DC++:
  New

Bug description:
  With the current vulnerability with DC++'s current KEYP implementation
  the underlying issue seems to be this ...

  [2012-04-26 09:24] <Crise> anyways, the thing with keyp is entirely
  different problem... which is basically that it only verifies keyp on
  the peer level certificate and not on the whole chain as it should

  Crise has stated he has another source who knows the exploit but will
  not divulge in who he is.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/991342/+subscriptions

References

[Bug 991342] [NEW] KEYP Vulnerability
From: iceman50, 2012-04-29