diff --git a/gnome-online-accounts-CVE-2013-0240.patch b/gnome-online-accounts-CVE-2013-0240.patch new file mode 100644 index 0000000..8eb1248 --- /dev/null +++ b/gnome-online-accounts-CVE-2013-0240.patch @@ -0,0 +1,48 @@ +From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Tue, 5 Feb 2013 13:43:34 +0000 +Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates + +None of the branded providers (eg., Google, Facebook and Windows Live) +should ever have an invalid certificate; and in this version of GOA, +that's all we have. So set "ssl-strict" on the SoupSession object +being used by GoaWebView. +--- + src/goabackend/goaoauth2provider.c | 6 ++++++ + src/goabackend/goaoauthprovider.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c +=================================================================== +--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c ++++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c +@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK + gulong i; + + session = webkit_get_default_session (); ++ ++ g_object_set (session, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, ++ SOUP_SESSION_SSL_STRICT, TRUE, ++ NULL); ++ + cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); + slist = soup_cookie_jar_all_cookies (cookie_jar); + g_slist_foreach (slist, (GFunc) check_cookie, data); +Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c +=================================================================== +--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c ++++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c +@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK + gulong i; + + session = webkit_get_default_session (); ++ ++ g_object_set (session, ++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, ++ SOUP_SESSION_SSL_STRICT, TRUE, ++ NULL); ++ + cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR)); + slist = soup_cookie_jar_all_cookies (cookie_jar); + g_slist_foreach (slist, (GFunc) check_cookie, data); diff --git a/gnome-online-accounts.changes b/gnome-online-accounts.changes index 937407d..9a64a6a 100644 --- a/gnome-online-accounts.changes +++ b/gnome-online-accounts.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 6 20:03:29 UTC 2013 - dimstar@opensuse.org + +- Add gnome-online-accounts-CVE-2013-0240.patch: goa fails to + verify SSL certificates when creating accounts (bnc#802409, + bgo#693214, CVE-2013--240). + ------------------------------------------------------------------- Wed Nov 14 13:05:51 UTC 2012 - dimstar@opensuse.org diff --git a/gnome-online-accounts.spec b/gnome-online-accounts.spec index 18d86e2..bd4425f 100644 --- a/gnome-online-accounts.spec +++ b/gnome-online-accounts.spec @@ -1,7 +1,7 @@ # # spec file for package gnome-online-accounts # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,8 @@ Group: System/GUI/GNOME Url: http://www.gnome.org Source: http://download.gnome.org/sources/gnome-online-accounts/3.6/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gnome-online-accounts-CVE-2013-0240.patch CVE-2013-0240 bnc#802409 bgo#693214 -- goa fails to verify SSL certificates when creating accounts +Patch0: gnome-online-accounts-CVE-2013-0240.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: gobject-introspection-devel BuildRequires: gtk-doc @@ -99,6 +101,7 @@ libraries in GNOME can access the user's online accounts. %lang_package %prep %setup -q +%patch0 -p1 %build %if 0%{?with_twitter}