Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 809713 (CVE-2021-39365) - <media-libs/grilo-0.3.14: improper TLS verification (CVE-2021-39365)
Summary: <media-libs/grilo-0.3.14: improper TLS verification (CVE-2021-39365)
Status: IN_PROGRESS
Alias: CVE-2021-39365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 831048
Blocks: 792267
  Show dependency tree
 
Reported: 2021-08-23 00:24 UTC by Sam James
Modified: 2022-04-20 02:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-23 00:24:36 UTC
CVE-2021-39365 (https://gitlab.gnome.org/GNOME/grilo/-/issues/146):

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Comment 2 Larry the Git Cow gentoo-dev 2021-11-11 13:52:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05d1238ef466bbb8f266f6ed6cd749b0db1b242a

commit 05d1238ef466bbb8f266f6ed6cd749b0db1b242a
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2021-11-11 13:14:07 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2021-11-11 13:52:04 +0000

    media-libs/grilo: Bump to 0.3.14
    
    Bug: https://bugs.gentoo.org/809713
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>

 media-libs/grilo/Manifest            |  1 +
 media-libs/grilo/grilo-0.3.14.ebuild | 77 ++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-11 15:28:45 UTC
Please file a stablereq when ready.