Bug 26819 - glib-networking new security issue CVE-2020-13645
Summary: glib-networking new security issue CVE-2020-13645
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-06-18 23:01 CEST by David Walser
Modified: 2020-08-11 02:06 CEST (History)
5 users (show)

See Also:
Source RPM: glib-networking-2.60.2-1.mga7.src.rpm
CVE: CVE-2020-13645
Status comment:


Attachments

Description David Walser 2020-06-18 23:01:24 CEST
Fedora has issued an advisory today (June 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/

The issue is fixed upstream in 2.62.4.
Comment 1 Lewis Smith 2020-06-19 20:51:32 CEST
This SRPM is ownerless, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-06-20 09:38:20 CEST
This part of patched code doesn't exist in our current 2.60.2 release.

https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94


So seems that this release is not affected by CVE-2020-13645.

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-06-20 16:25:57 CEST
Thanks, I thought that might be the case.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 4 David Walser 2020-07-01 21:25:21 CEST
Ubuntu has issued an advisory for this on June 29:
https://ubuntu.com/security/notices/USN-4405-1

Apparently older versions are vulnerable.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 5 Nicolas Salguero 2020-07-07 10:14:58 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. (CVE-2020-13645)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13645
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
https://ubuntu.com/security/notices/USN-4405-1
========================

Updated packages in core/updates_testing:
========================
glib-networking-2.60.2-1.1.mga7
lib(64)glib-networking-2.60.2-1.1.mga7
lib(64)glib-networking-gnutls-2.60.2-1.1.mga7

from SRPMS:
glib-networking-2.60.2-1.1.mga7.src.rpm

CVE: (none) => CVE-2020-13645
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: REOPENED => ASSIGNED

Comment 6 Herman Viaene 2020-07-07 16:45:47 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
No wiki or previous updates, so searching for info:
MCC shows in glib-networking : /usr/lib/systemd/user/glib-pacrunner.service
but
# systemctl -l status glib-pacrunner.service
Unit glib-pacrunner.service could not be found.
#  /usr/libexec/glib-pacrunner
just runs but no feedback.
Googling leads me to https://wiki.gnome.org/Projects/NetworkManager/Proxies
I do not use specific proxy, but Network Manager should communicate with it.
So, used MCC -Network Manager to disconnect, chack the configuration, and connect my wifi again. No problems.
Is that sufficient for an OK? I will not object.

CC: (none) => herman.viaene

Herman Viaene 2020-08-07 16:34:57 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-08-11 02:06:30 CEST
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.