[gnome-online-accounts/f17] Backport fix for RH #908000 (CVE-2013-0240)
Debarshi Ray
rishi at fedoraproject.org
Fri Feb 8 15:33:57 UTC 2013
commit 0513b18723bc8b9600899c447fb326f7a512b639
Author: Debarshi Ray <debarshir at gnome.org>
Date: Fri Feb 8 16:33:53 2013 +0100
Backport fix for RH #908000 (CVE-2013-0240)
Do-not-allow-invalid-SSL-certificates.patch | 49 +++++++++++++++++++++++++++
gnome-online-accounts.spec | 10 +++++-
2 files changed, 58 insertions(+), 1 deletions(-)
---
diff --git a/Do-not-allow-invalid-SSL-certificates.patch b/Do-not-allow-invalid-SSL-certificates.patch
new file mode 100644
index 0000000..e735349
--- /dev/null
+++ b/Do-not-allow-invalid-SSL-certificates.patch
@@ -0,0 +1,49 @@
+From 5a3d3862b0765385f38ca1ba2a9e2e74eb0d111d Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Tue, 05 Feb 2013 13:43:34 +0000
+Subject: CVE-2013-0240: Do not allow invalid SSL certificates
+
+None of the branded providers (eg., Google, Facebook and Windows Live)
+should ever have an invalid certificate; and in this version of GOA,
+that's all we have. So set "ssl-strict" on the SoupSession object
+being used by GoaWebView.
+
+Reviewed-by: Debarshi Ray <debarshir at gnome.org>
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=693214
+---
+diff --git a/src/goabackend/goaoauth2provider.c b/src/goabackend/goaoauth2provider.c
+index 2cf2e54..5645ead 100644
+--- a/src/goabackend/goaoauth2provider.c
++++ b/src/goabackend/goaoauth2provider.c
+@@ -747,6 +747,12 @@ get_tokens_and_identity (GoaOAuth2Provider *provider,
+ SoupCookieJar *cookie_jar;
+
+ webkit_soup_session = webkit_get_default_session ();
++
++ g_object_set (webkit_soup_session,
++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++ SOUP_SESSION_SSL_STRICT, TRUE,
++ NULL);
++
+ /* Get the proxy configuration from the GNOME settings */
+ soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
+ /* Set the Accept-Language header automatically */
+diff --git a/src/goabackend/goaoauthprovider.c b/src/goabackend/goaoauthprovider.c
+index 1dbd5a1..5d76f02 100644
+--- a/src/goabackend/goaoauthprovider.c
++++ b/src/goabackend/goaoauthprovider.c
+@@ -708,6 +708,12 @@ get_tokens_and_identity (GoaOAuthProvider *provider,
+ SoupCookieJar *cookie_jar;
+
+ webkit_soup_session = webkit_get_default_session ();
++
++ g_object_set (webkit_soup_session,
++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++ SOUP_SESSION_SSL_STRICT, TRUE,
++ NULL);
++
+ /* Get the proxy configuration from the GNOME settings */
+ soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
+
+--
+cgit v0.9.0.2
diff --git a/gnome-online-accounts.spec b/gnome-online-accounts.spec
index 6904338..d4e964a 100644
--- a/gnome-online-accounts.spec
+++ b/gnome-online-accounts.spec
@@ -1,6 +1,6 @@
Name: gnome-online-accounts
Version: 3.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Provide online accounts information
Group: System Environment/Libraries
@@ -11,6 +11,10 @@ Source0: http://download.gnome.org/sources/gnome-online-accounts/3.4/%{name}-%{v
# https://bugzilla.gnome.org/660932 , https://bugzilla.redhat.com/863419
Patch0: 0001-Make-sure-that-FALSE-is-returned-if-refresh_account-.patch
+# CVE-2013-0240
+# https://bugzilla.gnome.org/693214, https://bugzilla.redhat.com/908000
+Patch1: Do-not-allow-invalid-SSL-certificates.patch
+
BuildRequires: gtk3-devel glib2-devel
BuildRequires: gobject-introspection-devel
BuildRequires: gtk-doc intltool
@@ -37,6 +41,7 @@ files for developing applications that use gnome-online-accounts.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
%configure --disable-static --enable-gtk-doc --enable-facebook --enable-windows-live
@@ -84,6 +89,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{_datadir}/gtk-doc/html/goa/
%changelog
+* Fri Feb 08 2013 Debarshi Ray <rishi at fedoraproject.org> - 3.4.2-3
+- Backport fix for RH #908000 (CVE-2013-0240)
+
* Mon Oct 15 2012 Debarshi Ray <rishi at fedoraproject.org> - 3.4.2-2
- Backport fix for RH #863419
More information about the scm-commits
mailing list