Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 725880

Summary: <net-libs/glib-networking-2.62.4: Improper TLS certificate validation (CVE-2020-13645)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Whiteboard: B3 [glsa+ cve]
Package list:
net-libs/glib-networking-2.62.4
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 725908    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-28 12:48:01 UTC 
Description:
"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-28 12:59:14 UTC 
Patch: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/dbc8d69f58b07f6ed091aa123e5d40a53573a5fc

@maintainer(s), please apply if possible.
Comment 2 Mart Raudsepp gentoo-dev 2020-06-01 11:00:05 UTC 
For anyone thinking of just requesting 2.64 stable - you must not do that unless you are stabling glib-2.64 and co as well. They need to be in sync.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 11:16:49 UTC 
(In reply to Mart Raudsepp from comment #2)
> For anyone thinking of just requesting 2.64 stable - you must not do that
> unless you are stabling glib-2.64 and co as well. They need to be in sync.

Does the patch apply ok?
Comment 4 Larry the Git Cow gentoo-dev 2020-06-13 22:03:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be97151dd594ba04f27603a9c067e4a5bed859f5

commit be97151dd594ba04f27603a9c067e4a5bed859f5
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-13 22:02:11 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-13 22:03:03 +0000

    net-libs/glib-networking: bump to 2.64.3 for CVE-2020-13645
    
    Blind bump, hope it works.
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  1 +
 .../glib-networking/glib-networking-2.64.3.ebuild  | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aaf52255a767b13268c84a6b612dec17339fded

commit 9aaf52255a767b13268c84a6b612dec17339fded
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-06-13 21:59:11 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-06-13 22:03:03 +0000

    net-libs/glib-networking: bump to 2.62.4 for CVE-2020-13645
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  1 +
 .../glib-networking/glib-networking-2.62.4.ebuild  | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-06-14 20:23:08 UTC 
ppc/ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-15 15:01:17 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-15 15:04:42 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-15 15:10:25 UTC 
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-15 15:12:56 UTC 
sparc stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 14:26:47 UTC 
arm64 stable
Comment 11 Rolf Eike Beer archtester 2020-06-18 06:53:55 UTC 
hppa stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:49:43 UTC 
x86 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 14:59:34 UTC 
@maintainer(s), please cleanup
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:57:47 UTC 
(In reply to Sam James from comment #13)
> @maintainer(s), please cleanup

ping.

GLSA vote: yes
Comment 15 Larry the Git Cow gentoo-dev 2020-07-26 11:46:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b

commit a4998ec2920eb4e1f036d4c738e2be0c8f3cfd3b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-26 10:49:44 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-26 11:46:09 +0000

    net-libs/glib-networking: security cleanup
    
    Bug: https://bugs.gentoo.org/725880
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 net-libs/glib-networking/Manifest                  |  2 -
 .../glib-networking/glib-networking-2.60.4.ebuild  | 73 ----------------------
 .../glib-networking/glib-networking-2.62.3.ebuild  | 73 ----------------------
 3 files changed, 148 deletions(-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:35:30 UTC 
This issue was resolved and addressed in
 GLSA 202007-50 at https://security.gentoo.org/glsa/202007-50
by GLSA coordinator Sam James (sam_c).