After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 695106 - CVE-2013-1799: Do not send the credentials before notifying the user of an invalid SSL certificate
CVE-2013-1799: Do not send the credentials before notifying the user of an in...
Status: RESOLVED FIXED
Product: gnome-online-accounts
Classification: Core
Component: general
3.6.x
Other All
: Normal critical
: ---
Assigned To: GNOME Online Accounts maintainer(s)
GNOME Online Accounts maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2013-03-04 08:18 UTC by Debarshi Ray
Modified: 2013-03-04 14:27 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Guard against invalid SSL certificates (5.97 KB, patch)
2013-03-04 08:19 UTC, Debarshi Ray 		committed Details | Review
[3.6.x] Guard against invalid SSL certificates (5.96 KB, patch)
2013-03-04 12:16 UTC, Debarshi Ray 		committed Details | Review

Description Debarshi Ray 2013-03-04 08:18:11 UTC 
The fix for CVE-2013-0240 was incomplete.

For providers like ownCloud and Exchange which use libsoup to talk to a HTTPS server it we should not be sending the credentials over the wire before the user has had a chance to react to the "certificate is invalid" message.

This is fixed in master and gnome-3-8.
Comment 1 Debarshi Ray 2013-03-04 08:19:31 UTC 
Created attachment 237934 [details] [review]
Guard against invalid SSL certificates

The patch for master and gnome-3-8.
Comment 2 Debarshi Ray 2013-03-04 12:16:29 UTC 
Created attachment 237969 [details] [review]
[3.6.x] Guard against invalid SSL certificates

Patch for the gnome-3-6 branch. I have tested this, but a 2nd opinion would be nice.