Bug 6330 - libgdata new security issue CVE-2012-1177
: libgdata new security issue CVE-2012-1177
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506378/
: MGA1TOO has_procedure MGA2-64-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-04 22:07 CEST by David Walser
Modified: 2012-08-02 21:21 CEST (History)
8 users (show)

See Also:
Source RPM: libgdata-0.6.6-1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-06-04 22:07:15 CEST
Debian has issued an advisory on June 2:
http://www.debian.org/security/2012/dsa-2482

Note the CVE reference in the advisory is wrong (copy-paste from another advisory).  See the Debian bug for the correct CVE reference as well as links to the upstream changes that fixed this.

Also note that this may require an update to libsoup 2.37.91 or newer, or at least a patch to libsoup.

Cauldron/Mageia 2 are not affected as this has been fixed upstream in the versions we have there.
Comment 1 David Walser 2012-07-11 22:02:20 CEST
OpenSuSE has issued an advisory for this today (July 11):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00023.html
Comment 2 David Walser 2012-07-25 16:50:52 CEST
Mandriva has issued an advisory for this today (July 25):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
Comment 3 David Walser 2012-07-25 17:37:11 CEST
The fix from SuSE and Mandriva doesn't require updating libsoup on Mageia 1.

Cauldron and Mageia 2 are also affected, and I have fixed all three versions in SVN.

Mageia 1 and Mageia 2 libgdata packages build fine locally for me.

I submitted the libgdata build in Cauldron and the build failed.  Could someone please fix the (autoconf related) build errors in Cauldron?
Comment 4 David Walser 2012-07-25 17:52:11 CEST
Build error in Cauldron fixed thanks to Pascal Terjan.

Since this now builds against rootcerts and we need to update it in Mageia 1 and Mageia 2 anyway, I'll provide it with this update.
Comment 5 David Walser 2012-07-25 18:07:43 CEST
All updated packages are now uploaded.  Assigning to QA.

Advisory:
========================

Updated libgdata packages fix security vulnerability:

It was found that previously libgdata, a GLib-based library for
accessing online service APIs using the GData protocol, did not
perform SSL certificates validation even for secured connections. An
application, linked against the libgdata library and holding the
trust about the other side of the connection being the valid owner
of the certificate, could be tricked into accepting of a spoofed SSL
certificate by mistake (MITM attack) (CVE-2012-1177).

Additionally, because this now builds against the rootcerts package,
rootcerts has been updated to the latest version and nss has been
rebuilt against the new rootcerts package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1177
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:111
========================

Updated packages in core/updates_testing:
========================
rootcerts-20120628.00-1.mga1
rootcerts-java-20120628.00-1.mga1
rootcerts-20120628.00-1.mga2
rootcerts-java-20120628.00-1.mga2
nss-3.13.5-1.1.mga1
nss-doc-3.13.5-1.1.mga1
libnss3-3.13.5-1.1.mga1
libnss-devel-3.13.5-1.1.mga1
libnss-static-devel-3.13.5-1.1.mga1
nss-3.13.5-1.1.mga2
nss-doc-3.13.5-1.1.mga2
libnss3-3.13.5-1.1.mga2
libnss-devel-3.13.5-1.1.mga2
libnss-static-devel-3.13.5-1.1.mga2
libgdata-i18n-0.6.6-1.1.mga1
libgdata7-0.6.6-1.1.mga1
libgdata-devel-0.6.6-1.1.mga1
libgdata-i18n-0.12.0-1.1.mga2
libgdata13-0.12.0-1.1.mga2
libgdata-devel-0.12.0-1.1.mga2
libgdata-gir0.0-0.12.0-1.1.mga2

rootcerts-20120628.00-1.mga1.src.rpm
rootcerts-20120628.00-1.mga2.src.rpm
nss-3.13.5-1.1.mga1.src.rpm
nss-3.13.5-1.1.mga2.src.rpm
libgdata-0.6.6-1.1.mga1.src.rpm
libgdata-0.12.0-1.1.mga2.src.rpm
Comment 6 Dave Hodgins 2012-08-01 03:03:21 CEST
Looks to me like all we need to test for this is pop3s access in
evolution, plus standard browsing to https sites works.

After setting up evolution to access a pop3s acccount (localhost/dovecot),
the first attempt to get mail shows 
SSL Certificate for 'localhost' is not trusted. Do you wish to accept it?
so clearly it is now checking the connection.
Comment 7 Dave Hodgins 2012-08-01 03:04:04 CEST
I'll test the other arch and release shortly.
Comment 8 Dave Hodgins 2012-08-01 03:28:21 CEST
Testing complete on Mageia 2 i586.
Comment 9 Dave Hodgins 2012-08-01 03:46:52 CEST
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push this update for
both Mageia 1 and 2.

Please see comment 5 for the list of srpms and advisory.

https://bugs.mageia.org/show_bug.cgi?id=6330
Comment 10 Thomas Backlund 2012-08-02 21:21:03 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0190

Note You need to log in before you can comment on or make changes to this bug.