GNOME Bugzilla – Bug 671535
Security issue in libgdata
Last modified: 2012-05-03 16:37:52 UTC
.
[Forwarded by Marc (CC'ed) to GNOME release-team - Thanks!] Details from the currently private bug in launchpad.net (see "See Also:" field for the URL) follow: ---- When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff. ---- Attached is a proposed patch that the reporter Vreixo Formoso has submitted to the bug.
Created attachment 209142 [details] [review] Patch
Created attachment 209224 [details] [review] core: Validate SSL certificates for all connections Good catch. I can't see the Launchpad bug, but I presume all the relevant details have been copied across here, Andre? Here's an updated patch which allows setting of the cert dir at compile time. Is there any special procedure for handling fixes to security bugs? For example, do the release team want a libgdata micro release ready for 0.8 before I push the fix to master, or something?
Hey Philip, an alternative to the configure flag has been given by Matthias: > A much better option is to > just specify ssl-use-system-ca-file. But that option is pretty new, so > may not be an options for current distributions.
(In reply to comment #3) > Good catch. I can't see the Launchpad bug, but I presume all the relevant > details have been copied across here, Andre? Marc (CCed) has access - I highly assume that he copied everything relevant.
(In reply to comment #4) > Hey Philip, an alternative to the configure flag has been given by Matthias: > > > A much better option is to > > just specify ssl-use-system-ca-file. But that option is pretty new, so > > may not be an options for current distributions. Ah, I didn't know about that. In that case, I'll use ssl-use-system-ca-file for the fix on master, and attachment #209224 [details] for older branches (so as to not bump their libsoup dependency all the way up to 2.38). If that's OK, are there any special things I need to do for the r-t before committing?
(In reply to comment #5) > (In reply to comment #3) > > Good catch. I can't see the Launchpad bug, but I presume all the relevant > > details have been copied across here, Andre? > > Marc (CCed) has access - I highly assume that he copied everything relevant. I did. If anyone wants access to it, just let me know your launchpad id, and I'll subscribe you.
Fixed as described in comment #6, and releases (0.10.2 and 0.11.1) made containing the fix. Fixed on master: commit 6799f2c525a584dc998821a6ce897e463dad7840 Author: Philip Withnall <philip@tecnocode.co.uk> Date: Thu Mar 8 00:09:08 2012 +0000 core: Validate SSL certificates for all connections This prevents MitM attacks which use spoofed SSL certificates. Note that this bumps our libsoup requirement to 2.37.91. Closes: https://bugzilla.gnome.org/show_bug.cgi?id=671535 configure.ac | 2 +- gdata/gdata-service.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) and libgdata-0-10: commit 8eff8fa9138859e03e58c2aa76600ab63eb5c29c Author: Philip Withnall <philip@tecnocode.co.uk> Date: Thu Mar 8 00:09:08 2012 +0000 core: Validate SSL certificates for all connections This prevents MitM attacks which use spoofed SSL certificates. Closes: https://bugzilla.gnome.org/show_bug.cgi?id=671535 configure.ac | 7 +++++++ gdata/gdata-service.c | 2 +- 2 files changed, 8 insertions(+), 1 deletions(-)
*** Bug 675377 has been marked as a duplicate of this bug. ***