branch master updated: gnu: libgrss: Fix CVE-2016-20011.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch master updated: gnu: libgrss: Fix CVE-2016-20011.

From:	guix-commits
Subject:	branch master updated: gnu: libgrss: Fix CVE-2016-20011.
Date:	Sat, 03 Jul 2021 21:08:01 -0400

This is an automated email from the git hooks/post-receive script.

nckx pushed a commit to branch master
in repository guix.

The following commit(s) were added to refs/heads/master by this push:
     new 243d745  gnu: libgrss: Fix CVE-2016-20011.
243d745 is described below

commit 243d74579d2afdcad1f709909a3ac149475b3e23
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun Jul 4 03:03:47 2021 +0200

    gnu: libgrss: Fix CVE-2016-20011.
    
    * gnu/packages/gnome.scm (libgrss): Add patch.
    * gnu/packages/patches/libgrss-CVE-2016-2001.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                     |   1 +
 gnu/packages/gnome.scm                           |   4 +-
 gnu/packages/patches/libgrss-CVE-2016-2001.patch | 101 +++++++++++++++++++++++
 3 files changed, 105 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index b197ec5..beaf99b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1347,6 +1347,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/libgit2-mtime-0.patch                   \
   %D%/packages/patches/libgnome-encoding.patch                 \
   %D%/packages/patches/libgnomeui-utf8.patch                   \
+  %D%/packages/patches/libgrss-CVE-2016-2001.patch             \
   %D%/packages/patches/libjxr-fix-function-signature.patch     \
   %D%/packages/patches/libjxr-fix-typos.patch                  \
   %D%/packages/patches/libofa-ftbfs-1.diff             \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 57fa3cc..aa9504d 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -392,7 +392,9 @@ services.")
                        (version-major+minor version) "/"
                        name "-" version ".tar.xz"))
        (sha256
-        (base32 "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7"))))
+        (base32 "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7"))
+       (patches
+        (search-patches "libgrss-CVE-2016-2001.patch"))))
     (build-system glib-or-gtk-build-system)
     (outputs '("out" "doc"))
     (arguments
diff --git a/gnu/packages/patches/libgrss-CVE-2016-2001.patch 
b/gnu/packages/patches/libgrss-CVE-2016-2001.patch
new file mode 100644
index 0000000..b7de681
--- /dev/null
+++ b/gnu/packages/patches/libgrss-CVE-2016-2001.patch
@@ -0,0 +1,101 @@
+From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Mon, 7 Jun 2021 18:51:07 -0600
+Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
+ all SoupSessions.
+
+The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
+TLS certificate validation, unless the ssl-use-system-ca-file property is set
+to true.
+
+This mitigates CVE-2016-20011.
+---
+ src/feed-channel.c     | 2 ++
+ src/feed-enclosure.c   | 4 ++++
+ src/feeds-pool.c       | 1 +
+ src/feeds-publisher.c  | 4 +++-
+ src/feeds-subscriber.c | 4 +++-
+ 5 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/feed-channel.c b/src/feed-channel.c
+index 19ca7b2..d2d51b9 100644
+--- a/src/feed-channel.c
++++ b/src/feed-channel.c
+@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, 
SoupMessage *msg, GList **save_
+ static void
+ init_soup_session (SoupSession *session, GrssFeedChannel *channel)
+ {
++      g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+       if (channel->priv->jar != NULL)
+               soup_session_add_feature (session, SOUP_SESSION_FEATURE 
(channel->priv->jar));
+       if (channel->priv->gzip == TRUE)
+diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
+index 68ebbfe..2cd8f9e 100644
+--- a/src/feed-enclosure.c
++++ b/src/feed-enclosure.c
+@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, 
GError **error)
+       url = grss_feed_enclosure_get_url (enclosure);
+ 
+       session = soup_session_sync_new ();
++      g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+       msg = soup_message_new ("GET", url);
+       status = soup_session_send_message (session, msg);
+ 
+@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure 
*enclosure, GAsyncReadyCallba
+ 
+       task = g_task_new (enclosure, NULL, callback, user_data);
+       session = soup_session_async_new ();
++      g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+       msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
+       soup_session_queue_message (session, msg, enclosure_downloaded, task);
+ }
+diff --git a/src/feeds-pool.c b/src/feeds-pool.c
+index f18f3cd..7b33956 100644
+--- a/src/feeds-pool.c
++++ b/src/feeds-pool.c
+@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
+       memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
+       node->priv->parser = grss_feed_parser_new ();
+       node->priv->soupsession = soup_session_async_new ();
++      g_object_set (G_OBJECT (node->priv->soupsession), 
"ssl-use-system-ca-file", TRUE, NULL);
+ }
+ 
+ /**
+diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
+index 427a54f..500cd96 100644
+--- a/src/feeds-publisher.c
++++ b/src/feeds-publisher.c
+@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
+ {
+       SoupAddress *soup_addr;
+ 
+-      if (pub->priv->soupsession == NULL)
++      if (pub->priv->soupsession == NULL) {
+               pub->priv->soupsession = soup_session_async_new ();
++              g_object_set (G_OBJECT (pub->priv->soupsession), 
"ssl-use-system-ca-file", TRUE, NULL);
++      }
+ 
+       soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, 
pub->priv->port);
+       pub->priv->server = soup_server_new ("port", pub->priv->port, 
"interface", soup_addr, NULL);
+diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
+index 259f891..0f63f83 100644
+--- a/src/feeds-subscriber.c
++++ b/src/feeds-subscriber.c
+@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
+ {
+       GInetAddress *addr;
+ 
+-      if (sub->priv->soupsession == NULL)
++      if (sub->priv->soupsession == NULL) {
+               sub->priv->soupsession = soup_session_async_new ();
++              g_object_set (G_OBJECT (sub->priv->soupsession), 
"ssl-use-system-ca-file", TRUE, NULL);
++      }
+ 
+       /*
+               Flow:
+-- 
+GitLab
+

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated: gnu: libgrss: Fix CVE-2016-20011., guix-commits <=

Prev by Date: 03/03: gnu: Add ghc-ini.
Next by Date: branch wip-gnome deleted (was 3c637d3)
Previous by thread: branch master updated (b65af6e -> 3499d23)
Next by thread: branch wip-gnome deleted (was 3c637d3)
Index(es):
- Date
- Thread