Accepting request 154976 from GNOME:Factory

Fix CVE-2013-0240 (forwarded request 151522 from Zaitor)

OBS-URL: https://build.opensuse.org/request/show/154976
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnome-online-accounts?expand=0&rev=21

gnome-online-accounts-CVE-2013-0240.patch

@@ -0,0 +1,48 @@
+From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Tue, 5 Feb 2013 13:43:34 +0000
+Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates
+
+None of the branded providers (eg., Google, Facebook and Windows Live)
+should ever have an invalid certificate; and in this version of GOA,
+that's all we have. So set "ssl-strict" on the SoupSession object
+being used by GoaWebView.
+---
+ src/goabackend/goaoauth2provider.c |    6 ++++++
+ src/goabackend/goaoauthprovider.c  |    6 ++++++
+ 2 files changed, 12 insertions(+)
+
+Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
+===================================================================
+--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c
++++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
+@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK
+   gulong i;
+ 
+   session = webkit_get_default_session ();
++
++  g_object_set (session,
++      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++      SOUP_SESSION_SSL_STRICT, TRUE,
++      NULL);
++
+   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
+   slist = soup_cookie_jar_all_cookies (cookie_jar);
+   g_slist_foreach (slist, (GFunc) check_cookie, data);
+Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
+===================================================================
+--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c
++++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
+@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK
+   gulong i;
+ 
+   session = webkit_get_default_session ();
++
++  g_object_set (session,
++          SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
++          SOUP_SESSION_SSL_STRICT, TRUE,
++          NULL);
++
+   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, SOUP_TYPE_COOKIE_JAR));
+   slist = soup_cookie_jar_all_cookies (cookie_jar);
+   g_slist_foreach (slist, (GFunc) check_cookie, data);

gnome-online-accounts.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb  6 20:03:29 UTC 2013 - dimstar@opensuse.org
+
+- Add gnome-online-accounts-CVE-2013-0240.patch: goa fails to
+  verify SSL certificates when creating accounts (bnc#802409,
+  bgo#693214, CVE-2013--240).
+
 -------------------------------------------------------------------
 Wed Nov 14 13:05:51 UTC 2012 - dimstar@opensuse.org
 

gnome-online-accounts.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnome-online-accounts
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,8 @@ Group:          System/GUI/GNOME
 Url:            http://www.gnome.org
 Source:         http://download.gnome.org/sources/gnome-online-accounts/3.6/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM gnome-online-accounts-CVE-2013-0240.patch CVE-2013-0240 bnc#802409 bgo#693214 -- goa fails to verify SSL certificates when creating accounts
+Patch0:         gnome-online-accounts-CVE-2013-0240.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  gtk-doc
@@ -99,6 +101,7 @@ libraries in GNOME can access the user's online accounts.
 %lang_package
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %if 0%{?with_twitter}