r36622 - in /desktop/unstable/gnome-online-accounts/debian: changelog patches/3.4.x-CVE-2013-0240.patch patches/series

smcv at users.alioth.debian.org smcv at users.alioth.debian.org
Tue Feb 5 17:20:25 UTC 2013 

Author: smcv
Date: Tue Feb  5 17:20:25 2013
New Revision: 36622

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=36622
Log:
CVE-2013-0240: check TLS certificates for web services (Closes: #699825)

Added:
    desktop/unstable/gnome-online-accounts/debian/patches/3.4.x-CVE-2013-0240.patch
Modified:
    desktop/unstable/gnome-online-accounts/debian/changelog
    desktop/unstable/gnome-online-accounts/debian/patches/series

Modified: desktop/unstable/gnome-online-accounts/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/gnome-online-accounts/debian/changelog?rev=36622&op=diff
==============================================================================
--- desktop/unstable/gnome-online-accounts/debian/changelog [utf-8] (original)
+++ desktop/unstable/gnome-online-accounts/debian/changelog [utf-8] Tue Feb  5 17:20:25 2013
@@ -1,3 +1,10 @@
+gnome-online-accounts (3.4.2-2) unstable; urgency=medium
+
+  * Team upload.
+  * CVE-2013-0240: check TLS certificates for web services (Closes: #699825)
+
+ -- Simon McVittie <smcv at debian.org>  Tue, 05 Feb 2013 15:51:24 +0000
+
 gnome-online-accounts (3.4.2-1) unstable; urgency=low
 
   * New upstream release.

Added: desktop/unstable/gnome-online-accounts/debian/patches/3.4.x-CVE-2013-0240.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/gnome-online-accounts/debian/patches/3.4.x-CVE-2013-0240.patch?rev=36622&op=file
==============================================================================
--- desktop/unstable/gnome-online-accounts/debian/patches/3.4.x-CVE-2013-0240.patch (added)
+++ desktop/unstable/gnome-online-accounts/debian/patches/3.4.x-CVE-2013-0240.patch [utf-8] Tue Feb  5 17:20:25 2013
@@ -1,0 +1,54 @@
+From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie at collabora.co.uk>
+Date: Tue, 5 Feb 2013 13:43:34 +0000
+Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates
+
+None of the branded providers (eg., Google, Facebook and Windows Live)
+should ever have an invalid certificate; and in this version of GOA,
+that's all we have. So set "ssl-strict" on the SoupSession object
+being used by GoaWebView.
+
+Forwarded: yes
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=693214
+---
+ src/goabackend/goaoauth2provider.c |    6 ++++++
+ src/goabackend/goaoauthprovider.c  |    6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/goabackend/goaoauth2provider.c b/src/goabackend/goaoauth2provider.c
+index 2cf2e54..5645ead 100644
+--- a/src/goabackend/goaoauth2provider.c
++++ b/src/goabackend/goaoauth2provider.c
+@@ -747,6 +747,12 @@ get_tokens_and_identity (GoaOAuth2Provider  *provider,
+       SoupCookieJar *cookie_jar;
+ 
+       webkit_soup_session = webkit_get_default_session ();
++
++      g_object_set (webkit_soup_session,
++          SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++          SOUP_SESSION_SSL_STRICT, TRUE,
++          NULL);
++
+       /* Get the proxy configuration from the GNOME settings */
+       soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
+       /* Set the Accept-Language header automatically */
+diff --git a/src/goabackend/goaoauthprovider.c b/src/goabackend/goaoauthprovider.c
+index 1dbd5a1..5d76f02 100644
+--- a/src/goabackend/goaoauthprovider.c
++++ b/src/goabackend/goaoauthprovider.c
+@@ -708,6 +708,12 @@ get_tokens_and_identity (GoaOAuthProvider *provider,
+       SoupCookieJar *cookie_jar;
+ 
+       webkit_soup_session = webkit_get_default_session ();
++
++      g_object_set (webkit_soup_session,
++          SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++          SOUP_SESSION_SSL_STRICT, TRUE,
++          NULL);
++
+       /* Get the proxy configuration from the GNOME settings */
+       soup_session_add_feature_by_type (webkit_soup_session, SOUP_TYPE_PROXY_RESOLVER_GNOME);
+ 
+-- 
+1.7.10.4
+

Modified: desktop/unstable/gnome-online-accounts/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/gnome-online-accounts/debian/patches/series?rev=36622&op=diff
==============================================================================
--- desktop/unstable/gnome-online-accounts/debian/patches/series [utf-8] (original)
+++ desktop/unstable/gnome-online-accounts/debian/patches/series [utf-8] Tue Feb  5 17:20:25 2013
@@ -1,1 +1,2 @@
 01_git_fix_build.patch
+3.4.x-CVE-2013-0240.patch

More information about the pkg-gnome-commits mailing list