Bug 6330

Summary: libgdata new security issue CVE-2012-1177
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cjw, davidwhodgins, dmorganec, fundawang, jani.valimaa, olav, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/506378/
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK
Source RPM: libgdata-0.6.6-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-06-04 22:07:15 CEST 
Debian has issued an advisory on June 2:
http://www.debian.org/security/2012/dsa-2482

Note the CVE reference in the advisory is wrong (copy-paste from another advisory).  See the Debian bug for the correct CVE reference as well as links to the upstream changes that fixed this.

Also note that this may require an update to libsoup 2.37.91 or newer, or at least a patch to libsoup.

Cauldron/Mageia 2 are not affected as this has been fixed upstream in the versions we have there.
David Walser 2012-06-04 22:07:32 CEST

CC: (none) => olav

David Walser 2012-06-04 22:07:41 CEST

CC: (none) => fundawang

David Walser 2012-06-04 22:07:54 CEST

CC: (none) => jani.valimaa

David Walser 2012-06-04 22:08:04 CEST

CC: (none) => dmorganec

David Walser 2012-06-04 22:08:12 CEST

CC: (none) => cjw

Comment 1 David Walser 2012-07-11 22:02:20 CEST 
OpenSuSE has issued an advisory for this today (July 11):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00023.html

URL: (none) => http://lwn.net/Vulnerabilities/506378/

Comment 2 David Walser 2012-07-25 16:50:52 CEST 
Mandriva has issued an advisory for this today (July 25):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
Comment 3 David Walser 2012-07-25 17:37:11 CEST 
The fix from SuSE and Mandriva doesn't require updating libsoup on Mageia 1.

Cauldron and Mageia 2 are also affected, and I have fixed all three versions in SVN.

Mageia 1 and Mageia 2 libgdata packages build fine locally for me.

I submitted the libgdata build in Cauldron and the build failed.  Could someone please fix the (autoconf related) build errors in Cauldron?

Version: 1 => Cauldron
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 4 David Walser 2012-07-25 17:52:11 CEST 
Build error in Cauldron fixed thanks to Pascal Terjan.

Since this now builds against rootcerts and we need to update it in Mageia 1 and Mageia 2 anyway, I'll provide it with this update.
Comment 5 David Walser 2012-07-25 18:07:43 CEST 
All updated packages are now uploaded.  Assigning to QA.

Advisory:
========================

Updated libgdata packages fix security vulnerability:

It was found that previously libgdata, a GLib-based library for
accessing online service APIs using the GData protocol, did not
perform SSL certificates validation even for secured connections. An
application, linked against the libgdata library and holding the
trust about the other side of the connection being the valid owner
of the certificate, could be tricked into accepting of a spoofed SSL
certificate by mistake (MITM attack) (CVE-2012-1177).

Additionally, because this now builds against the rootcerts package,
rootcerts has been updated to the latest version and nss has been
rebuilt against the new rootcerts package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1177
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
========================

Updated packages in core/updates_testing:
========================
rootcerts-20120628.00-1.mga1
rootcerts-java-20120628.00-1.mga1
rootcerts-20120628.00-1.mga2
rootcerts-java-20120628.00-1.mga2
nss-3.13.5-1.1.mga1
nss-doc-3.13.5-1.1.mga1
libnss3-3.13.5-1.1.mga1
libnss-devel-3.13.5-1.1.mga1
libnss-static-devel-3.13.5-1.1.mga1
nss-3.13.5-1.1.mga2
nss-doc-3.13.5-1.1.mga2
libnss3-3.13.5-1.1.mga2
libnss-devel-3.13.5-1.1.mga2
libnss-static-devel-3.13.5-1.1.mga2
libgdata-i18n-0.6.6-1.1.mga1
libgdata7-0.6.6-1.1.mga1
libgdata-devel-0.6.6-1.1.mga1
libgdata-i18n-0.12.0-1.1.mga2
libgdata13-0.12.0-1.1.mga2
libgdata-devel-0.12.0-1.1.mga2
libgdata-gir0.0-0.12.0-1.1.mga2

rootcerts-20120628.00-1.mga1.src.rpm
rootcerts-20120628.00-1.mga2.src.rpm
nss-3.13.5-1.1.mga1.src.rpm
nss-3.13.5-1.1.mga2.src.rpm
libgdata-0.6.6-1.1.mga1.src.rpm
libgdata-0.12.0-1.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 6 Dave Hodgins 2012-08-01 03:03:21 CEST 
Looks to me like all we need to test for this is pop3s access in
evolution, plus standard browsing to https sites works.

After setting up evolution to access a pop3s acccount (localhost/dovecot),
the first attempt to get mail shows 
SSL Certificate for 'localhost' is not trusted. Do you wish to accept it?
so clearly it is now checking the connection.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO has_procedure MGA2-64-OK

Comment 7 Dave Hodgins 2012-08-01 03:04:04 CEST 
I'll test the other arch and release shortly.
Comment 8 Dave Hodgins 2012-08-01 03:28:21 CEST 
Testing complete on Mageia 2 i586.

Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK

Dave Hodgins 2012-08-01 03:36:51 CEST

Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK

Comment 9 Dave Hodgins 2012-08-01 03:46:52 CEST 
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push this update for
both Mageia 1 and 2.

Please see comment 5 for the list of srpms and advisory.

https://bugs.mageia.org/show_bug.cgi?id=6330

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK

Comment 10 Thomas Backlund 2012-08-02 21:21:03 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0190

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED