Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 438722 (CVE-2012-4511) - <net-libs/libsocialweb-0.25.21 : connects with flickr server without user permission (CVE-2012-4511)
Summary: <net-libs/libsocialweb-0.25.21 : connects with flickr server without user per...
Status: RESOLVED FIXED
Alias: CVE-2012-4511
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-17 17:20 UTC by Agostino Sarubbo
Modified: 2012-12-16 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-10-17 17:20:17 UTC
From red hat bugzilla:

Description of problem:
Whenever I connect to the Internet I see libsocialweb establishing a connection with 68.142.214.24 (flickr server). I do not have a flickr account.

Version-Release number of selected component (if applicable):
libsocialweb-0.25.20-1.fc16.i686
libsocialweb-keys-0.25.20-1.fc16.noarch

How reproducible:
Always

Steps to Reproduce:
1. disconnect network
2. reconnect
3. run sudo netstat -tanp | grep libsocialweb
  
Actual results:
netstat shows the following connection:
tcp        0      0 10.51.249.72:52028          68.142.214.24:80            ESTABLISHED 1617/libsocialweb-c

Expected results:
No connections with flickr servers.

Additional info:
Kernel: 3.4.11-1.fc16.i686.PAE
68.142.214.24 is www.flickr.mud.yahoo.com
process 1617 is /usr/libexec/libsocialweb-core
I captured two packets with wireshark:
1	3.574207	10.50.122.13	68.142.214.24	HTTP
GET /services/rest/?method=flickr%2Eauth%2EcheckToken&api%5Fsig=b4182f2f96c74c51ce141ae71c5555d3&api%5Fkey=d7953dc63a9498433bfdb4287ee2694b HTTP/1.1
Host: api.flickr.com
Connection: Keep-Alive
2	5.198500	68.142.214.24	10.50.122.13	HTTP/XML
HTTP/1.1 200 OK
Date: Thu, 04 Oct 2012 15:12:54 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Length: 109
Cache-Control: private
X-Served-By: www166.flickr.mud.yahoo.com
Vary: Accept-Encoding
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
<?xml version="1.0" encoding="utf-8" ?>
<rsp stat="fail">
	<err code="98" msg="Invalid auth token" />
</rsp>
Comment 1 Agostino Sarubbo gentoo-dev 2012-10-17 17:21:27 UTC
this is fixed in 0.25.21
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-10-20 03:01:44 UTC
Thanks, fixed in 0.25.21

>*libsocialweb-0.25.21 (20 Oct 2012)
>
>  20 Oct 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  libsocialweb-0.25.20.ebuild, +libsocialweb-0.25.21.ebuild,
>  +files/libsocialweb-0.25.21-gmodule.patch:
>  Version bump, no longer connects to Flickr without permission (bug #438722,
>  CVE-2012-4511, thanks to Agostino Sarubbo). Drop useless USE=doc, it only
>  regenerated documentation. Use vala.eclass.
Comment 3 Agostino Sarubbo gentoo-dev 2012-10-20 08:59:23 UTC
Arches, please test and mark stable:
=net-libs/libsocialweb-0.25.21
Target keywords : "amd64 x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-10-20 17:22:22 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-10-20 18:39:31 UTC
amd64 stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-10-23 20:23:08 UTC
CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511):
  services/flickr/flickr.c in libsocialweb before 0.25.22 automatically
  connects to Flickr when no Flickr account is set, which might allow remote
  attackers to obtain sensitive information via a man-in-the-middle (MITM)
  attack.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-23 20:28:18 UTC
Thanks, everyone.

GLSA vote: no.
Comment 8 Agostino Sarubbo gentoo-dev 2012-10-23 20:37:22 UTC
(In reply to comment #6)
> CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511):
>   services/flickr/flickr.c in libsocialweb before 0.25.22 automatically
>   connects to Flickr when no Flickr account is set, which might allow remote
>   attackers to obtain sensitive information via a man-in-the-middle (MITM)
>   attack.

there is an incongruity here. I know this is fixed in 0.25.21.
The description of the CVE says before 0.25.22. Is the CVE description wrong or we go bad?
Comment 9 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-10-23 20:41:23 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511):
> >   services/flickr/flickr.c in libsocialweb before 0.25.22 automatically
> >   connects to Flickr when no Flickr account is set, which might allow remote
> >   attackers to obtain sensitive information via a man-in-the-middle (MITM)
> >   attack.
> 
> there is an incongruity here. I know this is fixed in 0.25.21.
> The description of the CVE says before 0.25.22. Is the CVE description wrong
> or we go bad?

0.25.22 does not exist, see http://ftp.gnome.org/pub/GNOME/sources/libsocialweb/0.25/ and the git repository.
Comment 10 Agostino Sarubbo gentoo-dev 2012-10-23 20:44:16 UTC
(In reply to comment #9)
> 0.25.22 does not exist, see
> http://ftp.gnome.org/pub/GNOME/sources/libsocialweb/0.25/ and the git
> repository.

As I thought..thanks
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:08:54 UTC
I don't even see this as a security hole. Closing noglsa.