aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-06-07 18:58:13 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-06-07 18:58:54 -0600
commit2f6b3a650df492a31aebf6c040893cf0def8d3d1 (patch)
tree25b9536a27327bff0ae71078f487a7a36d5df952
parent7bf5fdb586f40b63ce88ece0abb03a90bae4263f (diff)
downloadaports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.gz
aports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.bz2
aports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.xz
community/libgrss: add mitigation for CVE-2016-20011
-rw-r--r--community/libgrss/APKBUILD14
-rw-r--r--community/libgrss/CVE-2016-20011.patch101
2 files changed, 112 insertions, 3 deletions
diff --git a/community/libgrss/APKBUILD b/community/libgrss/APKBUILD
index adcbecdabd..1003279c8b 100644
--- a/community/libgrss/APKBUILD
+++ b/community/libgrss/APKBUILD
@@ -2,14 +2,19 @@
# Maintainer: Rasmus Thomsen <oss@cogitri.dev>
pkgname=libgrss
pkgver=0.7.0
-pkgrel=0
+pkgrel=1
pkgdesc="Glib library for feeds"
url="https://wiki.gnome.org/Projects/Libgrss"
arch="all"
license="LGPL-3.0-or-later"
makedepends="glib-dev gtk-doc libxml2-dev libsoup-dev gobject-introspection-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz
+ CVE-2016-20011.patch"
+
+# secfixes:
+# 0.7.0-r1:
+# - CVE-2016-20011
build() {
./configure \
@@ -31,4 +36,7 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz"
+sha512sums="
+22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz
+d80ce2a39993a4559d88282082256a3382c9c68cc0a1df538a8fdc6a47a99275752f7f69a18fd486b45916b98929d149dbcaf0319f764a3f30ce0b595438c436 CVE-2016-20011.patch
+"
diff --git a/community/libgrss/CVE-2016-20011.patch b/community/libgrss/CVE-2016-20011.patch
new file mode 100644
index 0000000000..b7de681475
--- /dev/null
+++ b/community/libgrss/CVE-2016-20011.patch
@@ -0,0 +1,101 @@
+From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Mon, 7 Jun 2021 18:51:07 -0600
+Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
+ all SoupSessions.
+
+The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
+TLS certificate validation, unless the ssl-use-system-ca-file property is set
+to true.
+
+This mitigates CVE-2016-20011.
+---
+ src/feed-channel.c | 2 ++
+ src/feed-enclosure.c | 4 ++++
+ src/feeds-pool.c | 1 +
+ src/feeds-publisher.c | 4 +++-
+ src/feeds-subscriber.c | 4 +++-
+ 5 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/feed-channel.c b/src/feed-channel.c
+index 19ca7b2..d2d51b9 100644
+--- a/src/feed-channel.c
++++ b/src/feed-channel.c
+@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_
+ static void
+ init_soup_session (SoupSession *session, GrssFeedChannel *channel)
+ {
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ if (channel->priv->jar != NULL)
+ soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar));
+ if (channel->priv->gzip == TRUE)
+diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
+index 68ebbfe..2cd8f9e 100644
+--- a/src/feed-enclosure.c
++++ b/src/feed-enclosure.c
+@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error)
+ url = grss_feed_enclosure_get_url (enclosure);
+
+ session = soup_session_sync_new ();
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ msg = soup_message_new ("GET", url);
+ status = soup_session_send_message (session, msg);
+
+@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba
+
+ task = g_task_new (enclosure, NULL, callback, user_data);
+ session = soup_session_async_new ();
++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
++
+ msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
+ soup_session_queue_message (session, msg, enclosure_downloaded, task);
+ }
+diff --git a/src/feeds-pool.c b/src/feeds-pool.c
+index f18f3cd..7b33956 100644
+--- a/src/feeds-pool.c
++++ b/src/feeds-pool.c
+@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
+ memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
+ node->priv->parser = grss_feed_parser_new ();
+ node->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+ }
+
+ /**
+diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
+index 427a54f..500cd96 100644
+--- a/src/feeds-publisher.c
++++ b/src/feeds-publisher.c
+@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
+ {
+ SoupAddress *soup_addr;
+
+- if (pub->priv->soupsession == NULL)
++ if (pub->priv->soupsession == NULL) {
+ pub->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
++ }
+
+ soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port);
+ pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL);
+diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
+index 259f891..0f63f83 100644
+--- a/src/feeds-subscriber.c
++++ b/src/feeds-subscriber.c
+@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
+ {
+ GInetAddress *addr;
+
+- if (sub->priv->soupsession == NULL)
++ if (sub->priv->soupsession == NULL) {
+ sub->priv->soupsession = soup_session_async_new ();
++ g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
++ }
+
+ /*
+ Flow:
+--
+GitLab
+