Hello community,
here is the log from the commit of package gnome-online-accounts for
openSUSE:12.3 checked in at 2013-02-10 14:35:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3/gnome-online-accounts (Old)
and /work/SRC/openSUSE:12.3/.gnome-online-accounts.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-online-accounts", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:12.3/gnome-online-accounts/gnome-online-accounts.changes
2013-01-31 01:18:20.000000000 +0100
+++
/work/SRC/openSUSE:12.3/.gnome-online-accounts.new/gnome-online-accounts.changes
2013-02-10 14:35:27.000000000 +0100
@@ -1,0 +2,7 @@
+Wed Feb 6 20:03:29 UTC 2013 - [email protected]
+
+- Add gnome-online-accounts-CVE-2013-0240.patch: goa fails to
+ verify SSL certificates when creating accounts (bnc#802409,
+ bgo#693214, CVE-2013--240).
+
+-------------------------------------------------------------------
New:
----
gnome-online-accounts-CVE-2013-0240.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnome-online-accounts.spec ++++++
--- /var/tmp/diff_new_pack.RKeL6E/_old 2013-02-10 14:35:27.000000000 +0100
+++ /var/tmp/diff_new_pack.RKeL6E/_new 2013-02-10 14:35:27.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package gnome-online-accounts
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,8 @@
Url: http://www.gnome.org
Source:
http://download.gnome.org/sources/gnome-online-accounts/3.6/%{name}-%{version}.tar.xz
Source99: baselibs.conf
+# PATCH-FIX-UPSTREAM gnome-online-accounts-CVE-2013-0240.patch CVE-2013-0240
bnc#802409 bgo#693214 -- goa fails to verify SSL certificates when creating
accounts
+Patch0: gnome-online-accounts-CVE-2013-0240.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gobject-introspection-devel
BuildRequires: gtk-doc
@@ -99,6 +101,7 @@
%lang_package
%prep
%setup -q
+%patch0 -p1
%build
%if 0%{?with_twitter}
++++++ gnome-online-accounts-CVE-2013-0240.patch ++++++
>From 407c4cf96519cd9801cec4bc630c6e0d451c82a3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <[email protected]>
Date: Tue, 5 Feb 2013 13:43:34 +0000
Subject: [PATCH] CVE-2013-0240: Do not allow invalid SSL certificates
None of the branded providers (eg., Google, Facebook and Windows Live)
should ever have an invalid certificate; and in this version of GOA,
that's all we have. So set "ssl-strict" on the SoupSession object
being used by GoaWebView.
---
src/goabackend/goaoauth2provider.c | 6 ++++++
src/goabackend/goaoauthprovider.c | 6 ++++++
2 files changed, 12 insertions(+)
Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauth2provider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauth2provider.c
@@ -692,6 +692,12 @@ on_web_view_document_load_finished (WebK
gulong i;
session = webkit_get_default_session ();
+
+ g_object_set (session,
+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ SOUP_SESSION_SSL_STRICT, TRUE,
+ NULL);
+
cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session,
SOUP_TYPE_COOKIE_JAR));
slist = soup_cookie_jar_all_cookies (cookie_jar);
g_slist_foreach (slist, (GFunc) check_cookie, data);
Index: gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
===================================================================
--- gnome-online-accounts-3.6.2.orig/src/goabackend/goaoauthprovider.c
+++ gnome-online-accounts-3.6.2/src/goabackend/goaoauthprovider.c
@@ -725,6 +725,12 @@ on_web_view_document_load_finished (WebK
gulong i;
session = webkit_get_default_session ();
+
+ g_object_set (session,
+ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ SOUP_SESSION_SSL_STRICT, TRUE,
+ NULL);
+
cookie_jar = SOUP_COOKIE_JAR (soup_session_get_feature (session,
SOUP_TYPE_COOKIE_JAR));
slist = soup_cookie_jar_all_cookies (cookie_jar);
g_slist_foreach (slist, (GFunc) check_cookie, data);
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
