Control: tags 992971 + patch Control: tags 992971 + pending Hi Alberto,
I've prepared an NMU for grilo (versioned as 0.3.13-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. It is basically just a rebuild of your upload for bullseye-security to have the fix as well in unstable/testing. Regards, Salvatore
diff -Nru grilo-0.3.13/debian/changelog grilo-0.3.13/debian/changelog --- grilo-0.3.13/debian/changelog 2020-09-06 12:51:05.000000000 +0200 +++ grilo-0.3.13/debian/changelog 2021-09-02 23:05:13.000000000 +0200 @@ -1,3 +1,14 @@ +grilo (0.3.13-1.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Alberto Garcia ] + * fix-tls-cert-validation.patch: + - Fix TLS cert validation not being done for any network call + (Closes: #992971, CVE-2021-39365). + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 02 Sep 2021 23:05:13 +0200 + grilo (0.3.13-1) unstable; urgency=medium [ Alberto Garcia ] diff -Nru grilo-0.3.13/debian/patches/fix-tls-cert-validation.patch grilo-0.3.13/debian/patches/fix-tls-cert-validation.patch --- grilo-0.3.13/debian/patches/fix-tls-cert-validation.patch 1970-01-01 01:00:00.000000000 +0100 +++ grilo-0.3.13/debian/patches/fix-tls-cert-validation.patch 2021-08-26 23:10:58.000000000 +0200 @@ -0,0 +1,17 @@ +From: Bastien Nocera <had...@hadess.net> +Subject: Fix TLS cert validation not being done for any network call (CVE-2021-39365) +Bug: https://gitlab.gnome.org/GNOME/grilo/-/issues/146 +Bug-Debian: https://bugs.debian.org/992971 +Origin: https://gitlab.gnome.org/GNOME/grilo/-/commit/cd2472e506dafb1bb8ae510e34ad4797f63e263e +Index: grilo/libs/net/grl-net-wc.c +=================================================================== +--- grilo.orig/libs/net/grl-net-wc.c ++++ grilo/libs/net/grl-net-wc.c +@@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc) + wc->priv = grl_net_wc_get_instance_private (wc); + + wc->priv->session = soup_session_async_new (); ++ g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL); + wc->priv->pending = g_queue_new (); + + set_thread_context (wc); diff -Nru grilo-0.3.13/debian/patches/series grilo-0.3.13/debian/patches/series --- grilo-0.3.13/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ grilo-0.3.13/debian/patches/series 2021-08-26 23:10:58.000000000 +0200 @@ -0,0 +1 @@ +fix-tls-cert-validation.patch