Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 543650 (CVE-2015-2330) - <net-libs/webkit-gtk-2.7.92: WebKitGTK+ late TLS certificate verification (CVE-2015-2330)
Summary: <net-libs/webkit-gtk-2.7.92: WebKitGTK+ late TLS certificate verification (C...
Status: RESOLVED FIXED
Alias: CVE-2015-2330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q1/871
Whiteboard: A4 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-17 21:54 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-06-07 12:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-17 21:54:13 UTC
From ${URL}:
Hi,

WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification
too late, after sending an HTTP request rather than before. The issue
may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the
patch at [2]. Applications are affected if they use the WebKit2GTK+ API
with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in
WebKitGTK+ 2.6.2 and later; applications using earlier versions of
WebKitGTK+ must opt-in to certificate verification failures by calling
webkit_web_context_set_tls_errors_policy.) Applications using the
original WebKitGTK+ 1 API are unaffected because they must handle
certificate verification themselves.

Please assign a CVE for this issue.

Thanks,

Michael

[1] http://webkitgtk.org/
[2]
http://trac.webkit.org/changeset/181074/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
Comment 1 Joakim Tjernlund 2015-05-20 19:40:14 UTC
webkit 2.4.9 just got out, possibly fixed there?
Comment 2 Priit Laes (IRC: plaes) 2015-05-21 04:49:08 UTC
(In reply to Joakim Tjernlund from comment #1)
> webkit 2.4.9 just got out, possibly fixed there?

Seems like it did (from release notes):

o Check TLS errors as soon as they are set in the SoupMessage to prevent any data from being sent to the server in case of invalid certificate.
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2015-05-24 23:12:16 UTC
2.4.9 and 2.6.6 in tree have fixes for this according to ChangeLog/NEWS.
Comment 4 Pacho Ramos gentoo-dev 2016-03-09 15:34:18 UTC
This is already fixed in current stable versions in the tree
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-12 11:57:07 UTC
Added to new GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 10:21:31 UTC
This issue was resolved and addressed in
 GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 13:33:19 UTC
Should not have been addressed via GLSA or closed.  Errata published.  Reopening.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-06-07 12:11:08 UTC
This issue was resolved and addressed in
 GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15
by GLSA coordinator Thomas Deutschmann (whissi).