29585 – libzapojit new security issue CVE-2021-39360

Bug 29585 - libzapojit new security issue CVE-2021-39360

Summary: libzapojit new security issue CVE-2021-39360

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-10-23 15:50 CEST by David Walser
Modified:	2021-11-10 23:54 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	libzapojit-0.0.3-9.mga8.src.rpm
CVE:	CVE-2021-39360
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-23 15:50:18 CEST

Fedora has issued an advisory today (October 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IDXCHOCVP3VSAKDBQSLER2DQHFIOUHAT/

David Walser 2021-10-23 15:50:31 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-10-23 21:20:57 CEST

A parentless SRPM committed by different packagers, so have to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-10-25 10:04:40 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. (CVE-2021-39360)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39360
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IDXCHOCVP3VSAKDBQSLER2DQHFIOUHAT/
========================

Updated packages in core/updates_testing:
========================
lib(64)zapojit-gir0.0-0.0.3-9.1.mga8
lib(64)zapojit0.0_0-0.0.3-9.1.mga8
lib(64)zapojit-devel-0.0.3-9.1.mga8

from SRPM:
libzapojit-0.0.3-9.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2021-39360
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2021-10-26 11:56:50 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
Looking for something depending on this library.
# urpmq --whatrequires lib64zapojit0.0_0
gnome-online-miners
lib64zapojit-devel
lib64zapojit-gir0.0
lib64zapojit-gir0.0
lib64zapojit0.0_0
# urpmq --whatrequires lib64zapojit-gir0.0
gnome-documents
lib64zapojit-devel
lib64zapojit-gir0.0
# urpmq --whatrequires-recursive lib64zapojit0.0_0
gnome-documents
gnome-online-miners
gnome-photos
lib64zapojit-devel
lib64zapojit-devel
lib64zapojit-gir0.0
lib64zapojit-gir0.0
lib64zapojit0.0_0

gnome-documents is out of thee question since that would draw in Mageia's LibreOffice's rpm's. I have an issue with thos and are running LO's rpm's now.

Tried a trace on gnome-photos, walked around in it and creaed a new album, but found no references to the libraries.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-10-28 22:12:15 CEST

Herman, the description for the library in MCC says "Libzapojit is a GLib/GObject wrapper for Skydrive and Hotmail."

Is that of any help? I'm not a Gnome user, so I am not familiar with such things.

CC: (none) => andrewsfarm

Comment 5 Herman Viaene 2021-10-29 10:40:38 CEST

Tried to trace using thunderbird on hotmail account, but no references found.
Googling and reading stuff like https://www.freshports.org/net/libzapojit makes me conclude that this is a pure Gnome library. And I run LARGE circles around Gnome......

Comment 6 Thomas Andrews 2021-10-29 14:22:44 CEST

I know what you mean. I might try something in a vbox guest, but I don't have a Hotmail account...

Comment 7 Brian Rockwell 2021-10-30 03:47:28 CEST

MGA8-64, Gnome

The following 2 packages are going to be installed:

- lib64zapojit-gir0.0-0.0.3-9.1.mga8.x86_64
- lib64zapojit0.0_0-0.0.3-9.1.mga8.x86_64

4.2KB of additional disk space will be used.

I connected to an MS Onedrive account.  It didn't do much.  However, I was able to attach to the account.  Document and Photos didn't really do much.

I can't give this an up or down vote.

CC: (none) => brtians1

Comment 8 Thomas Andrews 2021-10-30 04:58:55 CEST

I continue to fumble around in the dark here, but...

The third reference in Comment 2 contains this description of the library:

Description :
GLib/GObject wrapper for the OneDrive and Hotmail REST APIs. It supports
OneDrive file and folder objects, and the following OneDrive operations:
  - Deleting a file, folder or photo.
  - Listing the contents of a folder.
  - Reading the properties of a file, folder or photo.
  - Uploading files and photos.

Brian, can you do any of those operations with the Onedrive account? That would probably be enough for a test. I don't know enough about the subject to know if being able to "attach" to the account is enough.

Comment 9 Brian Rockwell 2021-10-30 23:50:53 CEST

I don't see anything even though the online accounts app says it is connected.

Doesn't work for me.

Comment 10 Brian Rockwell 2021-10-31 02:07:16 CET

original version doesn't work for me either.

it installs fine so up to you if you want to approve it.

Comment 11 Thomas Andrews 2021-10-31 15:05:30 CET

I fired up my usually-dormant Gnome Vbox guest, updated it (330 packages!), and took a look at what was installed. I found that these libraries were already there, as are gnome-documents and gnome-online-miners. Doing a bit of research, I found this about gnome-online-miners:

"GNOME Online Miners provides a set of crawlers that go through your online content and index them locally in Tracker. It has miners for Flickr, Google, OwnCloud and SkyDrive."

Not really something I want to get into, even with a test install. But, using qarepo, I updated the libraries, and as with others there were no installation issues. Then I ran gnome-documents in the terminal. It did load, telling me it didn't find any documents, but issued a lot of warning messages as it did:

$ gnome-documents

(org.gnome.Documents:4150): Tracker-WARNING **: 09:58:48.507: Error parsing miner .desktop file: No such file or directory

(org.gnome.Documents:4150): Tracker-WARNING **: 09:58:48.508: Error parsing miner .desktop file: No such file or directory

(org.gnome.Documents:4150): Gjs-WARNING **: 09:58:48.514: JS ERROR: Error indexing the getting started PDF: GLib.Error tracker-miner-manager-error-quark: Filesystem miner is not active
_initGettingStarted@resource:///org/gnome/Documents/js/application.js:142:25
_createWindow@resource:///org/gnome/Documents/js/application.js:392:14
vfunc_activate@resource:///org/gnome/Documents/js/application.js:449:18
main@resource:///org/gnome/Documents/js/main.js:47:24
run@resource:///org/gnome/gjs/modules/script/package.js:222:19
@/usr/bin/gnome-documents:6:17


(org.gnome.Documents:4150): Tracker-WARNING **: 09:58:48.517: Error parsing miner .desktop file: No such file or directory

(org.gnome.Documents:4150): Tracker-WARNING **: 09:58:48.517: Error parsing miner .desktop file: No such file or directory

So somehow, I need to activate the miners to somehow test this, but as I said, that's nothing I, as a novice, want to get into.

I'm going to send this on based on three clean installs. Validating. Advisory in Comment 2.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-11-04 17:27:30 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2021-11-10 23:54:40 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0504.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.