Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 809716 (CVE-2021-39360)

Summary: net-libs/libzapojit: improper TLS verification (CVE-2021-39360)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/libzapojit/-/commit/a033fe378d1683354adc3718fbdc7c07f793206d
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 792267    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-23 00:25:58 UTC 
CVE-2021-39360 (https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/):

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-30 10:07:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f4a91806a55257b5aa42103e6c00ff7ac02e6c2

commit 5f4a91806a55257b5aa42103e6c00ff7ac02e6c2
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2023-04-30 10:06:22 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2023-04-30 10:06:22 +0000

    net-libs/libzapojit: treeclean
    
    Bug: https://bugs.gentoo.org/809716
    Signed-off-by: David Seifert <soap@gentoo.org>

 net-libs/libzapojit/Manifest                   |  1 -
 net-libs/libzapojit/libzapojit-0.0.3-r2.ebuild | 38 --------------------------
 net-libs/libzapojit/metadata.xml               | 11 --------
 profiles/package.mask                          |  1 -
 4 files changed, 51 deletions(-)