fix CVE-2021-39365

2021-09-13 11:33:40 +08:00 · 2021-09-13 11:33:40 +08:00 · 8bab0c78ca
commit 8bab0c78ca
parent 781138bc57
2 changed files with 41 additions and 1 deletions
--- a/backport-fix-CVE-2021-39365.patch
+++ b/backport-fix-CVE-2021-39365.patch
@ -0,0 +1,32 @@
+From cd2472e506dafb1bb8ae510e34ad4797f63e263e Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Mon, 21 Jun 2021 15:00:14 +0200
+Subject: [PATCH] net: Fix TLS cert validation not being done for any network
+ call
+
+The default SoupSessionAsync behaviour does not perform any TLS certificate
+validation, unless the ssl-use-system-ca-file property is set to true.
+
+See https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
+
+This mitigates CVE-2016-20011.
+
+Closes: #146
+---
+ libs/net/grl-net-wc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libs/net/grl-net-wc.c b/libs/net/grl-net-wc.c
+index 9bd4922..1193d4b 100644
+--- a/libs/net/grl-net-wc.c
+++ b/libs/net/grl-net-wc.c
+@@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc)
+   wc->priv = grl_net_wc_get_instance_private (wc);
+
+   wc->priv->session = soup_session_async_new ();
+  g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL);
+   wc->priv->pending = g_queue_new ();
+
+   set_thread_context (wc);
+--
+2.27.0
--- a/grilo.spec
+++ b/grilo.spec
@ -3,13 +3,15 @@

 Name:           grilo
 Version:        0.3.13
-Release:        1
+Release:        2
 Summary:        A framework for browsing and searching media content

 License:        LGPLv2+
 URL:            https://wiki.gnome.org/Projects/Grilo
 Source0:        https://download.gnome.org/sources/grilo/%{release_version}/grilo-%{version}.tar.xz

+Patch6000:	backport-fix-CVE-2021-39365.patch
+
 BuildRequires:  chrpath glib2-devel gettext gobject-introspection-devel >= 0.9.0
 BuildRequires:  gtk-doc gtk3-devel liboauth-devel libsoup-devel libxml2-devel
 BuildRequires:  meson totem-pl-parser-devel vala >= 0.27.1 libxslt
@ -79,6 +81,12 @@ mkdir -p %{buildroot}%{_datadir}/grilo-%{release_version}/plugins/
 %{_datadir}/gtk-doc/html/grilo/

 %changelog
+* Mon Sep 13 2021 yangcheng<yangcheng87@huawei.com> - 0.3.13-2
+- Type:CVE
+- CVE:CVE-2021-39365
+- SUG:NA
+- DESC:fix CVE-2021-39365
+
 * Tue Feb 2 2021 jinzhimin <jinzhimin2@huawei.com> - 0.3.13-1
 - upgrade to 0.3.13