From dd7ac0664bb9ed6080c7230814c2928cce45720e Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 12 Nov 2021 14:32:54 +0800
Subject: [PATCH] fix CVE-2021-39360

---
 CVE-2021-39360.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
 libzapojit.spec      |  7 ++++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-39360.patch

diff --git a/CVE-2021-39360.patch b/CVE-2021-39360.patch
new file mode 100644
index 0000000..cebb48c
--- /dev/null
+++ b/CVE-2021-39360.patch
@@ -0,0 +1,43 @@
+From a033fe378d1683354adc3718fbdc7c07f793206d Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Thu, 14 Oct 2021 16:55:48 +0200
+Subject: [PATCH] skydrive: Guard against invalid SSL certificates
+
+Fixes: CVE-2021-39360
+
+https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
+---
+ src/zpj-skydrive.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/zpj-skydrive.c b/src/zpj-skydrive.c
+index c91b126..1d91d31 100644
+--- a/src/zpj-skydrive.c
++++ b/src/zpj-skydrive.c
+@@ -415,6 +415,7 @@ zpj_skydrive_delete_entry_id (ZpjSkydrive *self, const gchar *entry_id, GCancell
+     goto out;
+ 
+   session = soup_session_sync_new ();
++  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, entry_id, NULL);
+   message = soup_message_new ("DELETE", url);
+@@ -744,6 +745,7 @@ zpj_skydrive_download_file_id_to_path (ZpjSkydrive *self,
+   data.loop = g_main_loop_new (context, FALSE);
+ 
+   session = soup_session_async_new_with_options (SOUP_SESSION_USE_THREAD_CONTEXT, TRUE, NULL);
++  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, file_id, "/content", NULL);
+   message = soup_message_new ("GET", url);
+@@ -1291,6 +1293,7 @@ zpj_skydrive_upload_path_to_folder_id (ZpjSkydrive *self,
+     goto out;
+ 
+   session = soup_session_sync_new ();
++  g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
+ 
+   url = g_strconcat (live_endpoint, folder_id, "/files", NULL);
+   message = soup_message_new ("POST", url);
+-- 
+2.27.0
+
diff --git a/libzapojit.spec b/libzapojit.spec
index 5662587..20f77e6 100644
--- a/libzapojit.spec
+++ b/libzapojit.spec
@@ -1,11 +1,13 @@
 Name:           libzapojit
 Version:        0.0.3
-Release:        15
+Release:        16
 Summary:        GLib/GObject wrapper for the SkyDrive and Hotmail REST APIs
 License:        LGPLv2+
 URL:            https://wiki.gnome.org/Projects/Zapojit
 Source0:        http://download.gnome.org/sources/libzapojit/0.0/libzapojit-%{version}.tar.xz
 
+Patch0001:      CVE-2021-39360.patch
+
 BuildRequires:  gettext pkgconfig(gio-2.0) >= 2.28 pkgconfig(glib-2.0) >= 2.28
 BuildRequires:  pkgconfig(gobject-2.0) >= 2.28 pkgconfig(goa-1.0)
 BuildRequires:  pkgconfig(gobject-introspection-1.0) gtk-doc intltool
@@ -62,5 +64,8 @@ sed --in-place --expression 's! -shared ! -Wl,--as-needed\0!g' libtool
 %exclude %{_datadir}/doc/libzapojit
 
 %changelog
+* Fri Nov 12 2021 yaoxin <yaoxin30@huawei.com> - 0.0.3-16
+- Fix CVE-2021-39360
+
 * Tue Jun 9 2020 leiju <leiju4@huawei.com> - 0.0.3-15
 - Package init