diff options
| author | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-07 18:58:13 -0600 |
|---|---|---|
| committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-07 18:58:54 -0600 |
| commit | 2f6b3a650df492a31aebf6c040893cf0def8d3d1 (patch) | |
| tree | 25b9536a27327bff0ae71078f487a7a36d5df952 | |
| parent | 7bf5fdb586f40b63ce88ece0abb03a90bae4263f (diff) | |
| download | aports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.gz aports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.bz2 aports-2f6b3a650df492a31aebf6c040893cf0def8d3d1.tar.xz | |
community/libgrss: add mitigation for CVE-2016-20011
| -rw-r--r-- | community/libgrss/APKBUILD | 14 | ||||
| -rw-r--r-- | community/libgrss/CVE-2016-20011.patch | 101 |
2 files changed, 112 insertions, 3 deletions
diff --git a/community/libgrss/APKBUILD b/community/libgrss/APKBUILD index adcbecdabd..1003279c8b 100644 --- a/community/libgrss/APKBUILD +++ b/community/libgrss/APKBUILD @@ -2,14 +2,19 @@ # Maintainer: Rasmus Thomsen <oss@cogitri.dev> pkgname=libgrss pkgver=0.7.0 -pkgrel=0 +pkgrel=1 pkgdesc="Glib library for feeds" url="https://wiki.gnome.org/Projects/Libgrss" arch="all" license="LGPL-3.0-or-later" makedepends="glib-dev gtk-doc libxml2-dev libsoup-dev gobject-introspection-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz" +source="https://download.gnome.org/sources/libgrss/${pkgver%.*}/libgrss-$pkgver.tar.xz + CVE-2016-20011.patch" + +# secfixes: +# 0.7.0-r1: +# - CVE-2016-20011 build() { ./configure \ @@ -31,4 +36,7 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz" +sha512sums=" +22a4f13ee979932575c6efd25bfd2fb184ea113aa34254d9e4bfb64cfbbd9b277dd235b8c9be037baf8c85bea7ba3bc1478ec3c7a3c87e63aeddb1774959c780 libgrss-0.7.0.tar.xz +d80ce2a39993a4559d88282082256a3382c9c68cc0a1df538a8fdc6a47a99275752f7f69a18fd486b45916b98929d149dbcaf0319f764a3f30ce0b595438c436 CVE-2016-20011.patch +" diff --git a/community/libgrss/CVE-2016-20011.patch b/community/libgrss/CVE-2016-20011.patch new file mode 100644 index 0000000000..b7de681475 --- /dev/null +++ b/community/libgrss/CVE-2016-20011.patch @@ -0,0 +1,101 @@ +From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Mon, 7 Jun 2021 18:51:07 -0600 +Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on + all SoupSessions. + +The default SoupSessionSync and SoupSessionAsync behaviour does not perform any +TLS certificate validation, unless the ssl-use-system-ca-file property is set +to true. + +This mitigates CVE-2016-20011. +--- + src/feed-channel.c | 2 ++ + src/feed-enclosure.c | 4 ++++ + src/feeds-pool.c | 1 + + src/feeds-publisher.c | 4 +++- + src/feeds-subscriber.c | 4 +++- + 5 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/feed-channel.c b/src/feed-channel.c +index 19ca7b2..d2d51b9 100644 +--- a/src/feed-channel.c ++++ b/src/feed-channel.c +@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_ + static void + init_soup_session (SoupSession *session, GrssFeedChannel *channel) + { ++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); ++ + if (channel->priv->jar != NULL) + soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar)); + if (channel->priv->gzip == TRUE) +diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c +index 68ebbfe..2cd8f9e 100644 +--- a/src/feed-enclosure.c ++++ b/src/feed-enclosure.c +@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error) + url = grss_feed_enclosure_get_url (enclosure); + + session = soup_session_sync_new (); ++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); ++ + msg = soup_message_new ("GET", url); + status = soup_session_send_message (session, msg); + +@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba + + task = g_task_new (enclosure, NULL, callback, user_data); + session = soup_session_async_new (); ++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); ++ + msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure)); + soup_session_queue_message (session, msg, enclosure_downloaded, task); + } +diff --git a/src/feeds-pool.c b/src/feeds-pool.c +index f18f3cd..7b33956 100644 +--- a/src/feeds-pool.c ++++ b/src/feeds-pool.c +@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node) + memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate)); + node->priv->parser = grss_feed_parser_new (); + node->priv->soupsession = soup_session_async_new (); ++ g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); + } + + /** +diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c +index 427a54f..500cd96 100644 +--- a/src/feeds-publisher.c ++++ b/src/feeds-publisher.c +@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub) + { + SoupAddress *soup_addr; + +- if (pub->priv->soupsession == NULL) ++ if (pub->priv->soupsession == NULL) { + pub->priv->soupsession = soup_session_async_new (); ++ g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); ++ } + + soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port); + pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL); +diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c +index 259f891..0f63f83 100644 +--- a/src/feeds-subscriber.c ++++ b/src/feeds-subscriber.c +@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub) + { + GInetAddress *addr; + +- if (sub->priv->soupsession == NULL) ++ if (sub->priv->soupsession == NULL) { + sub->priv->soupsession = soup_session_async_new (); ++ g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL); ++ } + + /* + Flow: +-- +GitLab + |