commit gnome-online-accounts for openSUSE:Factory

[h_root]

Hello community,

here is the log from the commit of package gnome-online-accounts for 
openSUSE:Factory checked in at 2013-02-10 14:35:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnome-online-accounts (Old)
 and      /work/SRC/openSUSE:Factory/.gnome-online-accounts.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gnome-online-accounts", Maintainer is ""

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/gnome-online-accounts/gnome-online-accounts.changes  
    2012-11-20 10:20:28.000000000 +0100
+++ 
/work/SRC/openSUSE:Factory/.gnome-online-accounts.new/gnome-online-accounts.changes
 2013-02-10 14:35:17.000000000 +0100
@@ -1,0 +2,7 @@
+Wed Feb  6 20:03:29 UTC 2013 - dims...@opensuse.org
+
+- Add gnome-online-accounts-CVE-2013-0240.patch: goa fails to
+  verify SSL certificates when creating accounts (bnc#802409,
+  bgo#693214, CVE-2013--240).
+
+-------------------------------------------------------------------

New:
----
  gnome-online-accounts-CVE-2013-0240.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gnome-online-accounts.spec ++++++
--- /var/tmp/diff_new_pack.b6Icb3/_old  2013-02-10 14:35:19.000000000 +0100
+++ /var/tmp/diff_new_pack.b6Icb3/_new  2013-02-10 14:35:19.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package gnome-online-accounts
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,8 @@
 Url:            http://www.gnome.org
 Source:         
http://download.gnome.org/sources/gnome-online-accounts/3.6/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM gnome-online-accounts-CVE-2013-0240.patch CVE-2013-0240 
bnc#802409 bgo#693214 -- goa fails to verify SSL certificates when creating 
accounts
+Patch0:         gnome-online-accounts-CVE-2013-0240.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  gtk-doc
@@ -99,6 +101,7 @@
 %lang_package
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %if 0%{?with_twitter}


++++++ gnome-online-accounts-CVE-2013-0240.patch ++++++
>From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvit...@collabora.co.uk>
Date: Tue, 5 Feb 2013 13:43:34 +0000
Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates

None of the branded providers (eg., Google, Facebook and Windows Live)
should ever have an invalid certificate; and in this version of GOA,
that's all we have. So set "ssl-strict" on the SoupSession object
being used by GoaWebView.
---
 src/goabackend/goaoauth2provider.c |    6 ++++++
 src/goabackend/goaoauthprovider.c  |    6 ++++++
 2 files changed, 12 insertions(+)

Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK
   gulong i;
 
   session = webkit_get_default_session ();
+
+  g_object_set (session,
+      SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+      SOUP_SESSION_SSL_STRICT, TRUE,
+      NULL);
+
   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, 
SOUP_TYPE_COOKIE_JAR));
   slist = soup_cookie_jar_all_cookies (cookie_jar);
   g_slist_foreach (slist, (GFunc) check_cookie, data);
Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK
   gulong i;
 
   session = webkit_get_default_session ();
+
+  g_object_set (session,
+          SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+          SOUP_SESSION_SSL_STRICT, TRUE,
+          NULL);
+
   cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session, 
SOUP_TYPE_COOKIE_JAR));
   slist = soup_cookie_jar_all_cookies (cookie_jar);
   g_slist_foreach (slist, (GFunc) check_cookie, data);
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org