Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408245 (CVE-2012-1177) - <dev-libs/libgdata-{0.8.1-r2,0.10.2}: Does not validate SSL certificates allowing for MITM (CVE-2012-1177)
Summary: <dev-libs/libgdata-{0.8.1-r2,0.10.2}: Does not validate SSL certificates allo...
Status: RESOLVED FIXED
Alias: CVE-2012-1177
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-15 00:18 UTC by Michael Harrison
Modified: 2012-09-05 11:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-03-15 00:18:08 UTC
When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=671535
https://bugzilla.novell.com/show_bug.cgi?id=752088

Upstream Commit:
http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-03-15 01:26:25 UTC
Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2.

Note that libgdata-0.8.1-r2 should be stabilized, but *not* libgdata-0.10.2 for now (the 0.10.x series has API changes that break evolution-data-server-2.x).

>*libgdata-0.10.2 (15 Mar 2012)
>*libgdata-0.8.1-r2 (15 Mar 2012)
>
>  15 Mar 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -libgdata-0.8.0.ebuild, +libgdata-0.8.1-r2.ebuild,
>  +files/libgdata-0.8.1-validate-ssl.patch, -libgdata-0.10.0.ebuild,
>  +libgdata-0.10.2.ebuild:
>  Validate SSL certificates to prevent MITM attack (bug #408245, CVE-2012-1177,
>  thanks to Michael Harrison for reporting). Drop old.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-03-15 02:34:16 UTC
(In reply to comment #1)
> Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2.
> 

Great, thank you.

Arches, please test and mark stable:
=dev-libs/libgdata-0.8.1-r2
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-15 12:16:56 UTC
amd64 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2012-03-16 18:15:05 UTC
ppc64 done
Comment 5 Markus Meier gentoo-dev 2012-03-28 05:25:48 UTC
arm stable
Comment 6 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-03-28 06:30:00 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-04-01 17:18:19 UTC
alpha/ia64/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-04-16 18:07:27 UTC
ppc done
Comment 9 Sean Amoss gentoo-dev Security 2012-04-16 21:05:30 UTC
Thanks, everyone. Creating GLSA draft.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 21:23:38 UTC
This issue was resolved and addressed in
 GLSA 201208-06 at http://security.gentoo.org/glsa/glsa-201208-06.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 11:57:24 UTC
CVE-2012-1177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1177):
  libgdata before 0.10.2 and 0.11.x before 0.11.1 does not validate SSL
  certificates, which allows remote attackers to obtain user names and
  passwords via a man-in-the-middle (MITM) attack with a spoofed certificate.