Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678070 - <gnome-extra/evolution-ews-3.30.5-r1: silently ignores all certificate errors
Summary: <gnome-extra/evolution-ews-3.30.5-r1: silently ignores all certificate errors
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/evolut...
Whiteboard: B4 [noglsa]
Keywords:
: CVE-2019-3890 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-02-15 14:07 UTC by Liam Dennehy
Modified: 2020-05-22 00:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Liam Dennehy 2019-02-15 14:07:38 UTC
As reported upstream: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36

Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI)  that a questionable certificate was presented, leaving the connection open to being viewed and modified.
Comment 1 Liam Dennehy 2019-02-22 22:04:09 UTC
Present in 3.31 (dev), so may require backport to 3.30 currently pending stabilisation.
Comment 2 Larry the Git Cow gentoo-dev 2019-02-27 12:43:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec808adda217d07bb554a784bd644c90abe472aa

commit ec808adda217d07bb554a784bd644c90abe472aa
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-02-27 12:27:08 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-02-27 12:39:49 +0000

    gnome-extra/evolution-ews: add patch for SSL certificate validation
    
    Bug: https://bugs.gentoo.org/678070
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-extra/evolution-ews/Manifest                 |  1 +
 .../evolution-ews/evolution-ews-3.30.5-r1.ebuild   | 66 ++++++++++++++++++++++
 2 files changed, 67 insertions(+)
Comment 3 Mart Raudsepp gentoo-dev 2019-02-27 12:45:02 UTC
Upstream doesn't seem to consider this a big issue. Either way, it is probably too complicated to backport to 3.24 stable versions, and evolution 3.30 stack isn't ready to go stable before about 6 weeks probably :(
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 06:58:56 UTC
Please take a look at the commit:
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
Comment 5 Mart Raudsepp gentoo-dev 2019-04-27 08:19:35 UTC
This is already fixed in evolution-ews-3.30.5-r1 for exactly 2 months.
But were no updates here, as we are not ready to stabilize that cycle yet.
Comment 6 Mart Raudsepp gentoo-dev 2019-04-27 08:20:42 UTC
(In reply to Mart Raudsepp from comment #5)
> This is already fixed in evolution-ews-3.30.5-r1 for exactly 2 months.
> But were no updates here, as we are not ready to stabilize that cycle yet.

err, there WERE updates here and explanations, just not whiteboard/summary changes.
So what should I be looking at there from the upstream issue?
Comment 7 Mart Raudsepp gentoo-dev 2019-05-18 21:52:31 UTC
This was stabled with GNOME 3.30 now
Comment 8 Larry the Git Cow gentoo-dev 2019-05-18 22:08:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c62c50b3f349dc677ff2ce8bca401c7d440a453f

commit c62c50b3f349dc677ff2ce8bca401c7d440a453f
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-05-18 21:51:46 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-05-18 21:52:40 +0000

    gnome-extra/evolution-ews: remove old
    
    Bug: https://bugs.gentoo.org/678070
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-extra/evolution-ews/Manifest                 |  1 -
 .../evolution-ews/evolution-ews-3.24.6.ebuild      | 66 ----------------------
 .../files/3.24.6-DESTDIR-honoring.patch            | 33 -----------
 .../files/3.24.6-libical3-compat.patch             | 44 ---------------
 4 files changed, 144 deletions(-)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 00:36:23 UTC
*** Bug 699858 has been marked as a duplicate of this bug. ***