When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff. References: https://bugzilla.gnome.org/show_bug.cgi?id=671535 https://bugzilla.novell.com/show_bug.cgi?id=752088 Upstream Commit: http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840 http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c
Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2. Note that libgdata-0.8.1-r2 should be stabilized, but *not* libgdata-0.10.2 for now (the 0.10.x series has API changes that break evolution-data-server-2.x). >*libgdata-0.10.2 (15 Mar 2012) >*libgdata-0.8.1-r2 (15 Mar 2012) > > 15 Mar 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > -libgdata-0.8.0.ebuild, +libgdata-0.8.1-r2.ebuild, > +files/libgdata-0.8.1-validate-ssl.patch, -libgdata-0.10.0.ebuild, > +libgdata-0.10.2.ebuild: > Validate SSL certificates to prevent MITM attack (bug #408245, CVE-2012-1177, > thanks to Michael Harrison for reporting). Drop old.
(In reply to comment #1) > Thanks for reporting, fixed in 0.8.1-r2 and 0.10.2. > Great, thank you. Arches, please test and mark stable: =dev-libs/libgdata-0.8.1-r2 Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
amd64 stable
ppc64 done
arm stable
x86 stable
alpha/ia64/sparc stable
ppc done
Thanks, everyone. Creating GLSA draft.
This issue was resolved and addressed in GLSA 201208-06 at http://security.gentoo.org/glsa/glsa-201208-06.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2012-1177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1177): libgdata before 0.10.2 and 0.11.x before 0.11.1 does not validate SSL certificates, which allows remote attackers to obtain user names and passwords via a man-in-the-middle (MITM) attack with a spoofed certificate.
