fix CVE-2021-39360

2021-11-12 14:32:54 +08:00 · 2021-11-12 14:32:54 +08:00 · dd7ac0664b
commit dd7ac0664b
parent d02b3ee704
2 changed files with 49 additions and 1 deletions
--- a/CVE-2021-39360.patch
+++ b/CVE-2021-39360.patch
@ -0,0 +1,43 @@
+From a033fe378d1683354adc3718fbdc7c07f793206d Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Thu, 14 Oct 2021 16:55:48 +0200
+Subject: [PATCH] skydrive: Guard against invalid SSL certificates
+
+Fixes: CVE-2021-39360
+
+https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
+---
+ src/zpj-skydrive.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/zpj-skydrive.c b/src/zpj-skydrive.c
+index c91b126..1d91d31 100644
+--- a/src/zpj-skydrive.c
+++ b/src/zpj-skydrive.c
+@@ -415,6 +415,7 @@ zpj_skydrive_delete_entry_id (ZpjSkydrive *self, const gchar *entry_id, GCancell
+     goto out;
+ 
+   session = soup_session_sync_new ();
+  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, entry_id, NULL);
+   message = soup_message_new ("DELETE", url);
+@@ -744,6 +745,7 @@ zpj_skydrive_download_file_id_to_path (ZpjSkydrive *self,
+   data.loop = g_main_loop_new (context, FALSE);
+ 
+   session = soup_session_async_new_with_options (SOUP_SESSION_USE_THREAD_CONTEXT, TRUE, NULL);
+  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, file_id, "/content", NULL);
+   message = soup_message_new ("GET", url);
+@@ -1291,6 +1293,7 @@ zpj_skydrive_upload_path_to_folder_id (ZpjSkydrive *self,
+     goto out;
+ 
+   session = soup_session_sync_new ();
+  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, folder_id, "/files", NULL);
+   message = soup_message_new ("POST", url);
+-- 
+2.27.0
+
--- a/libzapojit.spec
+++ b/libzapojit.spec
@ -1,11 +1,13 @@
 Name:           libzapojit
 Version:        0.0.3
-Release:        15
+Release:        16
 Summary:        GLib/GObject wrapper for the SkyDrive and Hotmail REST APIs
 License:        LGPLv2+
 URL:            https://wiki.gnome.org/Projects/Zapojit
 Source0:        http://download.gnome.org/sources/libzapojit/0.0/libzapojit-%{version}.tar.xz

+Patch0001:      CVE-2021-39360.patch
+
 BuildRequires:  gettext pkgconfig(gio-2.0) >= 2.28 pkgconfig(glib-2.0) >= 2.28
 BuildRequires:  pkgconfig(gobject-2.0) >= 2.28 pkgconfig(goa-1.0)
 BuildRequires:  pkgconfig(gobject-introspection-1.0) gtk-doc intltool
@ -62,5 +64,8 @@ sed --in-place --expression 's! -shared ! -Wl,--as-needed\0!g' libtool
 %exclude %{_datadir}/doc/libzapojit

 %changelog
+* Fri Nov 12 2021 yaoxin <yaoxin30@huawei.com> - 0.0.3-16
+- Fix CVE-2021-39360
+
 * Tue Jun 9 2020 leiju <leiju4@huawei.com> - 0.0.3-15
 - Package init