gnu: libgrss: Fix CVE-2016-20011.
* gnu/packages/gnome.scm (libgrss): Add patch. * gnu/packages/patches/libgrss-CVE-2016-2001.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
This commit is contained in:
Tobias Geerinckx-Rice
parent
3499d23692
commit
243d74579d
3 changed files with 105 additions and 1 deletions
|
|
@ -1347,6 +1347,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libgit2-mtime-0.patch \
|
||||
%D%/packages/patches/libgnome-encoding.patch \
|
||||
%D%/packages/patches/libgnomeui-utf8.patch \
|
||||
%D%/packages/patches/libgrss-CVE-2016-2001.patch \
|
||||
%D%/packages/patches/libjxr-fix-function-signature.patch \
|
||||
%D%/packages/patches/libjxr-fix-typos.patch \
|
||||
%D%/packages/patches/libofa-ftbfs-1.diff \
|
||||
|
|
|
|||
|
|
@ -392,7 +392,9 @@ services.")
|
|||
(version-major+minor version) "/"
|
||||
name "-" version ".tar.xz"))
|
||||
(sha256
|
||||
(base32 "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7"))))
|
||||
(base32 "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7"))
|
||||
(patches
|
||||
(search-patches "libgrss-CVE-2016-2001.patch"))))
|
||||
(build-system glib-or-gtk-build-system)
|
||||
(outputs '("out" "doc"))
|
||||
(arguments
|
||||
|
|
|
|||
101
gnu/packages/patches/libgrss-CVE-2016-2001.patch
Normal file
101
gnu/packages/patches/libgrss-CVE-2016-2001.patch
Normal file
|
|
@ -0,0 +1,101 @@
|
|||
From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
|
||||
From: Ariadne Conill <ariadne@dereferenced.org>
|
||||
Date: Mon, 7 Jun 2021 18:51:07 -0600
|
||||
Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
|
||||
all SoupSessions.
|
||||
|
||||
The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
|
||||
TLS certificate validation, unless the ssl-use-system-ca-file property is set
|
||||
to true.
|
||||
|
||||
This mitigates CVE-2016-20011.
|
||||
---
|
||||
src/feed-channel.c | 2 ++
|
||||
src/feed-enclosure.c | 4 ++++
|
||||
src/feeds-pool.c | 1 +
|
||||
src/feeds-publisher.c | 4 +++-
|
||||
src/feeds-subscriber.c | 4 +++-
|
||||
5 files changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/feed-channel.c b/src/feed-channel.c
|
||||
index 19ca7b2..d2d51b9 100644
|
||||
--- a/src/feed-channel.c
|
||||
+++ b/src/feed-channel.c
|
||||
@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_
|
||||
static void
|
||||
init_soup_session (SoupSession *session, GrssFeedChannel *channel)
|
||||
{
|
||||
+ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
+
|
||||
if (channel->priv->jar != NULL)
|
||||
soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar));
|
||||
if (channel->priv->gzip == TRUE)
|
||||
diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
|
||||
index 68ebbfe..2cd8f9e 100644
|
||||
--- a/src/feed-enclosure.c
|
||||
+++ b/src/feed-enclosure.c
|
||||
@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error)
|
||||
url = grss_feed_enclosure_get_url (enclosure);
|
||||
|
||||
session = soup_session_sync_new ();
|
||||
+ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
+
|
||||
msg = soup_message_new ("GET", url);
|
||||
status = soup_session_send_message (session, msg);
|
||||
|
||||
@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba
|
||||
|
||||
task = g_task_new (enclosure, NULL, callback, user_data);
|
||||
session = soup_session_async_new ();
|
||||
+ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
+
|
||||
msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
|
||||
soup_session_queue_message (session, msg, enclosure_downloaded, task);
|
||||
}
|
||||
diff --git a/src/feeds-pool.c b/src/feeds-pool.c
|
||||
index f18f3cd..7b33956 100644
|
||||
--- a/src/feeds-pool.c
|
||||
+++ b/src/feeds-pool.c
|
||||
@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
|
||||
memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
|
||||
node->priv->parser = grss_feed_parser_new ();
|
||||
node->priv->soupsession = soup_session_async_new ();
|
||||
+ g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
|
||||
index 427a54f..500cd96 100644
|
||||
--- a/src/feeds-publisher.c
|
||||
+++ b/src/feeds-publisher.c
|
||||
@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
|
||||
{
|
||||
SoupAddress *soup_addr;
|
||||
|
||||
- if (pub->priv->soupsession == NULL)
|
||||
+ if (pub->priv->soupsession == NULL) {
|
||||
pub->priv->soupsession = soup_session_async_new ();
|
||||
+ g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
+ }
|
||||
|
||||
soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port);
|
||||
pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL);
|
||||
diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
|
||||
index 259f891..0f63f83 100644
|
||||
--- a/src/feeds-subscriber.c
|
||||
+++ b/src/feeds-subscriber.c
|
||||
@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
|
||||
{
|
||||
GInetAddress *addr;
|
||||
|
||||
- if (sub->priv->soupsession == NULL)
|
||||
+ if (sub->priv->soupsession == NULL) {
|
||||
sub->priv->soupsession = soup_session_async_new ();
|
||||
+ g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
|
||||
+ }
|
||||
|
||||
/*
|
||||
Flow:
|
||||
--
|
||||
GitLab
|
||||
|
||||
Reference in a new issue