Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 725880 - <net-libs/glib-networking-2.62.4: Improper TLS certificate validation (CVE-2020-13645)
Summary: <net-libs/glib-networking-2.62.4: Improper TLS certificate validation (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/glib-n...
Whiteboard: B3 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks: CVE-2020-13645
  Show dependency tree
 
Reported: 2020-05-28 12:48 UTC by Sam James
Modified: 2020-07-27 01:35 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/glib-networking-2.62.4
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-28 12:48:01 UTC 
Description:
"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-28 12:59:14 UTC 
Patch: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/dbc8d69f58b07f6ed091aa123e5d40a53573a5fc

@maintainer(s), please apply if possible.
Comment 2 Mart Raudsepp gentoo-dev 2020-06-01 11:00:05 UTC 
For anyone thinking of just requesting 2.64 stable - you must not do that unless you are stabling glib-2.64 and co as well. They need to be in sync.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 11:16:49 UTC 
(In reply to Mart Raudsepp from comment #2)
> For anyone thinking of just requesting 2.64 stable - you must not do that
> unless you are stabling glib-2.64 and co as well. They need to be in sync.

Does the patch apply ok?
Comment 4 Larry the Git Cow gentoo-dev 2020-06-13 22:03:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be97151dd594ba04f27603a9c067e4a5bed859f5

commit be97151dd594ba04f27603a9c067e4a5bed859f5
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-13 22:02:11 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-13 22:03:03 +0000

    net-libs/glib-networking: bump to 2.64.3 for CVE-2020-13645
    
    Blind bump, hope it works.
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  1 +
 .../glib-networking/glib-networking-2.64.3.ebuild  | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aaf52255a767b13268c84a6b612dec17339fded

commit 9aaf52255a767b13268c84a6b612dec17339fded
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-13 21:59:11 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-13 22:03:03 +0000

    net-libs/glib-networking: bump to 2.62.4 for CVE-2020-13645
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  1 +
 .../glib-networking/glib-networking-2.62.4.ebuild  | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-14 20:23:08 UTC 
ppc/ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-15 15:01:17 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-15 15:04:42 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-15 15:10:25 UTC 
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-15 15:12:56 UTC 
sparc stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 14:26:47 UTC 
arm64 stable
Comment 11 Rolf Eike Beer archtester 2020-06-18 06:53:55 UTC 
hppa stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:43 UTC 
x86 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 14:59:34 UTC 
@maintainer(s), please cleanup
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:57:47 UTC 
(In reply to Sam James from comment #13)
> @maintainer(s), please cleanup

ping.

GLSA vote: yes
Comment 15 Larry the Git Cow gentoo-dev 2020-07-26 11:46:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b

commit a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-26 10:49:44 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-26 11:46:09 +0000

    net-libs/glib-networking: security cleanup
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  2 -
 .../glib-networking/glib-networking-2.60.4.ebuild  | 73 ----------------------
 .../glib-networking/glib-networking-2.62.3.ebuild  | 73 ----------------------
 3 files changed, 148 deletions(-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:35:30 UTC 
This issue was resolved and addressed in
 GLSA 202007-50 at https://security.gentoo.org/glsa/202007-50
by GLSA coordinator Sam James (sam_c).