Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 809713 (CVE-2021-39365)

Summary: <media-libs/grilo-0.3.14: improper TLS verification (CVE-2021-39365)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 831048    
Bug Blocks: 792267    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-23 00:24:36 UTC 
CVE-2021-39365 (https://gitlab.gnome.org/GNOME/grilo/-/issues/146):

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Comment 2 Larry the Git Cow gentoo-dev 2021-11-11 13:52:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05d1238ef466bbb8f266f6ed6cd749b0db1b242a

commit 05d1238ef466bbb8f266f6ed6cd749b0db1b242a
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2021-11-11 13:14:07 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2021-11-11 13:52:04 +0000

    media-libs/grilo: Bump to 0.3.14
    
    Bug: https://bugs.gentoo.org/809713
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-libs/grilo/Manifest            |  1 +
 media-libs/grilo/grilo-0.3.14.ebuild | 77 ++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 15:28:45 UTC 
Please file a stablereq when ready.