Bug 9082 - gnome-online-accounts new security issue CVE-2013-0240
: gnome-online-accounts new security issue CVE-2013-0240
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/538442/
: has_procedure mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-15 19:46 CET by David Walser
Modified: 2013-02-21 21:58 CET (History)
5 users (show)

See Also:
Source RPM: gnome-online-accounts-3.4.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-15 19:46:24 CET
OpenSuSE has issued an advisory today (February 15):
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html

Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated gnome-online-accounts packages fix security vulnerability:

It was found that Gnome Online Accounts (GOA) did not perform SSL certificate
validation, when performing Windows Live and Facebook accounts creation. A
remote attacker could use this flaw to conduct man-in-the-middle (MiTM)
attacks, possibly leading to their ability to obtain sensitive information
(CVE-2013-0240).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
========================

Updated packages in core/updates_testing:
========================
gnome-online-accounts-3.4.2-1.1.mga2
libgoa1.0_0-3.4.2-1.1.mga2
libgoa-gir1.0-3.4.2-1.1.mga2
libgoa1.0-devel-3.4.2-1.1.mga2

from gnome-online-accounts-3.4.2-1.1.mga2.src.rpm
Comment 1 Thomas Backlund 2013-02-15 22:55:57 CET
Um, this is more than a CVE fix... it's also a version bump from 3.4.1 to 3.4.2
Comment 2 David Walser 2013-02-15 23:04:44 CET
That's what was in SVN.  You know why.
Comment 3 Thomas Backlund 2013-02-15 23:17:48 CET
Yes, I know... 

but svn Changes can Always be reverted in order to provide safe updates, so we need to be careful with all gtk and gnome stuff in mga2 updates...

anyway we can see how it goes, but QA need to be extra careful with this mess...
Comment 4 David Walser 2013-02-15 23:29:28 CET
Yes, thanks for pointing it out.  It really *shouldn't* cause issues with this or any other package that might need to be updated, but as any changes will be more than just our security or bugfixes, but also the upstream ones from the updated version, more careful testing would be required.
Comment 5 Dave Hodgins 2013-02-17 00:40:56 CET
$ urpmq --whatrequires gnome-online-accounts
gnome-online-accounts

Is it actually used?  Any suggestions for testing?
Comment 6 claire robinson 2013-02-17 01:46:37 CET
There is some info here but I haven't looked at it yet to see how to test this

http://developer.gnome.org/goa/stable/
Comment 7 claire robinson 2013-02-18 11:16:43 CET
Reading here: https://live.gnome.org/GnomeOnlineAccounts

"GOA provides a centralized service that allows a set of online accounts to be configured for use with core GNOME applications. In UX terms, GOA provides a static list of online accounts that can be setup by users (through the Online Accounts panel in System Settings). These accounts can then be used by core GNOME applications. "

So configuring/connecting to accounts in gnome settings should be enough to test
Comment 8 claire robinson 2013-02-18 11:50:29 CET
Testing complete mga2 64

Confirmed I can configure windows live and google accounts in Gnome. 
Empathy can also use that account information.

They fail to connect as it thinks there is no network connection, which I think is probably something to do with networkmanager not managing the network connection. Unrelated to GOA though.
Comment 9 Bill Wilkinson 2013-02-20 01:34:48 CET
Checking GOA on mga2 32.  One thing I've noted, there are icons for multiple other account options (yahoo, twitter, facebook, etc.) but when attempting to configure, the only options available are google and windows live. Should we be able to configure the others some way?
Comment 10 Dave Hodgins 2013-02-21 08:39:26 CET
(In reply to Bill Wilkinson from comment #9)
> Checking GOA on mga2 32.  One thing I've noted, there are icons for multiple
> other account options (yahoo, twitter, facebook, etc.) but when attempting
> to configure, the only options available are google and windows live. Should
> we be able to configure the others some way?

I don't know if they should be available or not, but I've checked
that the prior version has the same behavior, so if it is a bug,
it's not a regression.  Please open a new bug report if you think
the other services should be available as options.
Comment 11 Dave Hodgins 2013-02-21 08:42:26 CET
Validating the update.

Could someone from the sysadmin team push the srpm
gnome-online-accounts-3.4.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated gnome-online-accounts packages fix security vulnerability:

It was found that Gnome Online Accounts (GOA) did not perform SSL certificate
validation, when performing Windows Live and Facebook accounts creation. A
remote attacker could use this flaw to conduct man-in-the-middle (MiTM)
attacks, possibly leading to their ability to obtain sensitive information
(CVE-2013-0240).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html

https://bugs.mageia.org/show_bug.cgi?id=9082
Comment 12 Thomas Backlund 2013-02-21 21:58:16 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0059

Note You need to log in before you can comment on or make changes to this bug.