From 8269cc347628b013f1996dd458537a6296708baa92dcb3c6d6314045104cfdb7 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 4 Mar 2013 16:38:05 +0000 Subject: [PATCH] Update to 3.6.3 - frmo stable gnome branch.. we should add this to 3.6.3 - as it brings all the SSL fix (the existing one missed on part) and is in line with upstreams version number OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gnome-online-accounts?expand=0&rev=37 --- gnome-online-accounts-3.6.2.tar.xz | 3 -- gnome-online-accounts-3.6.3.tar.xz | 3 ++ gnome-online-accounts-CVE-2013-0240.patch | 48 ----------------------- gnome-online-accounts.changes | 10 +++++ gnome-online-accounts.spec | 5 +-- 5 files changed, 14 insertions(+), 55 deletions(-) delete mode 100644 gnome-online-accounts-3.6.2.tar.xz create mode 100644 gnome-online-accounts-3.6.3.tar.xz delete mode 100644 gnome-online-accounts-CVE-2013-0240.patch diff --git a/gnome-online-accounts-3.6.2.tar.xz b/gnome-online-accounts-3.6.2.tar.xz deleted file mode 100644 index 18c290c..0000000 --- a/gnome-online-accounts-3.6.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:55d207d2dc5428f41b0a504aa3edd996a6167a5625d9e11d678f33f282935fa7 -size 583628 diff --git a/gnome-online-accounts-3.6.3.tar.xz b/gnome-online-accounts-3.6.3.tar.xz new file mode 100644 index 0000000..5b864b2 --- /dev/null +++ b/gnome-online-accounts-3.6.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:68c161ea06d344422e47881362429fff3e58f61f6998d6ad992ca3d015eb636c +size 588908 diff --git a/gnome-online-accounts-CVE-2013-0240.patch b/gnome-online-accounts-CVE-2013-0240.patch deleted file mode 100644 index 8eb1248..0000000 --- a/gnome-online-accounts-CVE-2013-0240.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Tue, 5 Feb 2013 13:43:34 +0000 -Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates - -None of the branded providers (eg., Google, Facebook and Windows Live) -should ever have an invalid certificate; and in this version of GOA, -that's all we have. So set "ssl-strict" on the SoupSession object -being used by GoaWebView. ---- - src/goabackend/goaoauth2provider.c | 6 ++++++ - src/goabackend/goaoauthprovider.c | 6 ++++++ - 2 files changed, 12 insertions(+) - -Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c -=================================================================== ---- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c -+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c -@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK - gulong i; - - session = webkit_get_default_session (); -+ -+ g_object_set (session, -+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, -+ SOUP_SESSION_SSL_STRICT, TRUE, -+ NULL); -+ - cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); - slist = soup_cookie_jar_all_cookies (cookie_jar); - g_slist_foreach (slist, (GFunc) check_cookie, data); -Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c -=================================================================== ---- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c -+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c -@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK - gulong i; - - session = webkit_get_default_session (); -+ -+ g_object_set (session, -+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, -+ SOUP_SESSION_SSL_STRICT, TRUE, -+ NULL); -+ - cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); - slist = soup_cookie_jar_all_cookies (cookie_jar); - g_slist_foreach (slist, (GFunc) check_cookie, data); diff --git a/gnome-online-accounts.changes b/gnome-online-accounts.changes index 9a64a6a..f596ef2 100644 --- a/gnome-online-accounts.changes +++ b/gnome-online-accounts.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Mar 4 16:31:44 UTC 2013 - dimstar@opensuse.org + +- Update to version 3.6.3: + + bgo#693214: Guard against invalid SSL certificates + (CVE-2013-0240) + + bgo#695106: Do not send the credentials before notifying the + user of an invalid SSL certificate (CVE-2013-1799). +- Drop gnome-online-accounts-CVE-2013-0240.patch: fixed upstream. + ------------------------------------------------------------------- Wed Feb 6 20:03:29 UTC 2013 - dimstar@opensuse.org diff --git a/gnome-online-accounts.spec b/gnome-online-accounts.spec index bd4425f..be2e949 100644 --- a/gnome-online-accounts.spec +++ b/gnome-online-accounts.spec @@ -20,7 +20,7 @@ %define with_twitter 0 Name: gnome-online-accounts -Version: 3.6.2 +Version: 3.6.3 Release: 0 Summary: GNOME service to access online accounts License: LGPL-2.1+ @@ -28,8 +28,6 @@ Group: System/GUI/GNOME Url: http://www.gnome.org Source: http://download.gnome.org/sources/gnome-online-accounts/3.6/%{name}-%{version}.tar.xz Source99: baselibs.conf -# PATCH-FIX-UPSTREAM gnome-online-accounts-CVE-2013-0240.patch CVE-2013-0240 bnc#802409 bgo#693214 -- goa fails to verify SSL certificates when creating accounts -Patch0: gnome-online-accounts-CVE-2013-0240.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: gobject-introspection-devel BuildRequires: gtk-doc @@ -101,7 +99,6 @@ libraries in GNOME can access the user's online accounts. %lang_package %prep %setup -q -%patch0 -p1 %build %if 0%{?with_twitter}