linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1516181] [NEW] disabled keyprint check for hubs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: Konstantin <sks_f@xxxxxxx>
Date: Sat, 14 Nov 2015 00:27:42 -0000
Reply-to: Bug 1516181 <1516181@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Private security bug reported:

according to this line
http://sourceforge.net/p/dcplusplus/code/ci/default/tree/dcpp/Client.cpp#l143,
keyprint of hub will never sended to SSLSocket, so
CryptoManager::verify_callback will fail to check certificate's keyprint
and will return ok even if allowUntrustedHubs is off. This line should
ends with SETTING(ALLOW_UNTRUSTED_HUBS), true, keyprint);

** Affects: dcplusplus
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1516181

Title:
  disabled keyprint check for hubs

Status in DC++:
  New

Bug description:
  according to this line
  http://sourceforge.net/p/dcplusplus/code/ci/default/tree/dcpp/Client.cpp#l143,
  keyprint of hub will never sended to SSLSocket, so
  CryptoManager::verify_callback will fail to check certificate's
  keyprint and will return ok even if allowUntrustedHubs is off. This
  line should ends with SETTING(ALLOW_UNTRUSTED_HUBS), true, keyprint);

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1516181/+subscriptions

Follow ups

[Bug 1516181] Re: disabled keyprint check for hubs
From: eMTee, 2016-09-14
[Bug 1516181] Re: disabled keyprint check for hubs
From: poy, 2016-09-14
[Bug 1516181] Re: disabled keyprint check for hubs
From: poy, 2016-01-10
[Bug 1516181] Re: disabled keyprint check for hubs
From: Fredrik Ullner, 2016-01-07
[Bug 1516181] Re: disabled keyprint check for hubs
From: eMTee, 2015-11-15
[Bug 1516181] Re: disabled keyprint check for hubs
From: Crise, 2015-11-15