gnome-online-accounts/gnome-online-accounts-CVE-2013-0240.patch

From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Tue, 5 Feb 2013 13:43:34 +0000
Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates

None of the branded providers (eg., Google, Facebook and Windows Live)
should ever have an invalid certificate; and in this version of GOA,
that's all we have. So set "ssl-strict" on the SoupSession object
being used by GoaWebView.
---
 src/goabackend/goaoauth2provider.c |    6 ++++++
 src/goabackend/goaoauthprovider.c  |    6 ++++++
 2 files changed, 12 insertions(+)

Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK
   gulong i;
 
   session = webkit_get_default_session ();
+
+  g_object_set (session,
+      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+      SOUP_SESSION_SSL_STRICT, TRUE,
+      NULL);
+
   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
   slist = soup_cookie_jar_all_cookies (cookie_jar);
   g_slist_foreach (slist, (GFunc) check_cookie, data);
Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK
   gulong i;
 
   session = webkit_get_default_session ();
+
+  g_object_set (session,
+          SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+          SOUP_SESSION_SSL_STRICT, TRUE,
+          NULL);
+
   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
   slist = soup_cookie_jar_all_cookies (cookie_jar);
   g_slist_foreach (slist, (GFunc) check_cookie, data);
Accepting request 151522 from home:dimstar:branches:GNOME:Factory Fix CVE-2013-0240 OBS-URL: https://build.opensuse.org/request/show/151522 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gnome-online-accounts?expand=0&rev=35 2013-02-09 14:18:07 +01:00			`From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001`
			`From: Simon McVittie <simon.mcvittie@collabora.co.uk>`
			`Date: Tue, 5 Feb 2013 13:43:34 +0000`
			`Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates`

			`None of the branded providers (eg., Google, Facebook and Windows Live)`
			`should ever have an invalid certificate; and in this version of GOA,`
			`that's all we have. So set "ssl-strict" on the SoupSession object`
			`being used by GoaWebView.`
			`---`
			`src/goabackend/goaoauth2provider.c \| 6 ++++++`
			`src/goabackend/goaoauthprovider.c \| 6 ++++++`
			`2 files changed, 12 insertions(+)`

			`Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c`
			`===================================================================`
			`--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c`
			`+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c`
			`@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK`
			`gulong i;`

			`session = webkit_get_default_session ();`
			`+`
			`+ g_object_set (session,`
			`+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,`
			`+ SOUP_SESSION_SSL_STRICT, TRUE,`
			`+ NULL);`
			`+`
			`cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));`
			`slist = soup_cookie_jar_all_cookies (cookie_jar);`
			`g_slist_foreach (slist, (GFunc) check_cookie, data);`
			`Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c`
			`===================================================================`
			`--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c`
			`+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c`
			`@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK`
			`gulong i;`

			`session = webkit_get_default_session ();`
			`+`
			`+ g_object_set (session,`
			`+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,`
			`+ SOUP_SESSION_SSL_STRICT, TRUE,`
			`+ NULL);`
			`+`
			`cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));`
			`slist = soup_cookie_jar_all_cookies (cookie_jar);`
			`g_slist_foreach (slist, (GFunc) check_cookie, data);`