From red hat bugzilla: Description of problem: Whenever I connect to the Internet I see libsocialweb establishing a connection with 68.142.214.24 (flickr server). I do not have a flickr account. Version-Release number of selected component (if applicable): libsocialweb-0.25.20-1.fc16.i686 libsocialweb-keys-0.25.20-1.fc16.noarch How reproducible: Always Steps to Reproduce: 1. disconnect network 2. reconnect 3. run sudo netstat -tanp | grep libsocialweb Actual results: netstat shows the following connection: tcp 0 0 10.51.249.72:52028 68.142.214.24:80 ESTABLISHED 1617/libsocialweb-c Expected results: No connections with flickr servers. Additional info: Kernel: 3.4.11-1.fc16.i686.PAE 68.142.214.24 is www.flickr.mud.yahoo.com process 1617 is /usr/libexec/libsocialweb-core I captured two packets with wireshark: 1 3.574207 10.50.122.13 68.142.214.24 HTTP GET /services/rest/?method=flickr%2Eauth%2EcheckToken&api%5Fsig=b4182f2f96c74c51ce141ae71c5555d3&api%5Fkey=d7953dc63a9498433bfdb4287ee2694b HTTP/1.1 Host: api.flickr.com Connection: Keep-Alive 2 5.198500 68.142.214.24 10.50.122.13 HTTP/XML HTTP/1.1 200 OK Date: Thu, 04 Oct 2012 15:12:54 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Content-Length: 109 Cache-Control: private X-Served-By: www166.flickr.mud.yahoo.com Vary: Accept-Encoding Content-Type: text/xml; charset=utf-8 Connection: keep-alive <?xml version="1.0" encoding="utf-8" ?> <rsp stat="fail"> <err code="98" msg="Invalid auth token" /> </rsp>
this is fixed in 0.25.21
Thanks, fixed in 0.25.21 >*libsocialweb-0.25.21 (20 Oct 2012) > > 20 Oct 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > libsocialweb-0.25.20.ebuild, +libsocialweb-0.25.21.ebuild, > +files/libsocialweb-0.25.21-gmodule.patch: > Version bump, no longer connects to Flickr without permission (bug #438722, > CVE-2012-4511, thanks to Agostino Sarubbo). Drop useless USE=doc, it only > regenerated documentation. Use vala.eclass.
Arches, please test and mark stable: =net-libs/libsocialweb-0.25.21 Target keywords : "amd64 x86"
x86 stable
amd64 stable
CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511): services/flickr/flickr.c in libsocialweb before 0.25.22 automatically connects to Flickr when no Flickr account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle (MITM) attack.
Thanks, everyone. GLSA vote: no.
(In reply to comment #6) > CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511): > services/flickr/flickr.c in libsocialweb before 0.25.22 automatically > connects to Flickr when no Flickr account is set, which might allow remote > attackers to obtain sensitive information via a man-in-the-middle (MITM) > attack. there is an incongruity here. I know this is fixed in 0.25.21. The description of the CVE says before 0.25.22. Is the CVE description wrong or we go bad?
(In reply to comment #8) > (In reply to comment #6) > > CVE-2012-4511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4511): > > services/flickr/flickr.c in libsocialweb before 0.25.22 automatically > > connects to Flickr when no Flickr account is set, which might allow remote > > attackers to obtain sensitive information via a man-in-the-middle (MITM) > > attack. > > there is an incongruity here. I know this is fixed in 0.25.21. > The description of the CVE says before 0.25.22. Is the CVE description wrong > or we go bad? 0.25.22 does not exist, see http://ftp.gnome.org/pub/GNOME/sources/libsocialweb/0.25/ and the git repository.
(In reply to comment #9) > 0.25.22 does not exist, see > http://ftp.gnome.org/pub/GNOME/sources/libsocialweb/0.25/ and the git > repository. As I thought..thanks
I don't even see this as a security hole. Closing noglsa.