Debian Bug report logs - #664032
[CVE-2012-1177] libgdata do not verify SSL certs

version graph

Package: libgdata; Maintainer for libgdata is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Luciano Bello <luciano@debian.org>

Date: Wed, 14 Mar 2012 23:21:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions 0.11.1-1, libgdata/0.10.2-1, libgdata/0.6.4-2+squeeze1

Done: Yves-Alexis Perez <corsac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#664032; Package libgdata. (Wed, 14 Mar 2012 23:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Wed, 14 Mar 2012 23:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: [CVE-2012-1177] libgdata do not verify SSL certs
Date: Thu, 15 Mar 2012 00:18:52 +0100
[Message part 1 (text/plain, inline)]
Package: libgdata
Severity: grave
Tags: security patch

The following vulnerability had been reported against libgdata: 
http://www.openwall.com/lists/oss-security/2012/03/14/3

The upstream patch:
http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c

Please use CVE-2012-1177 for this issue. Since the bug affects other 
applications (like evolution) and looks quite important, please contact the 
security team if it also affects stable.

Cheers,
luciano
[signature.asc (application/pgp-signature, inline)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Wed, 14 Mar 2012 23:30:03 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 14 Mar 2012 23:30:03 GMT) Full text and rfc822 format available.

Message #10 received at 664032-done@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Luciano Bello <luciano@debian.org>, 664032-done@bugs.debian.org
Subject: Re: Bug#664032: [CVE-2012-1177] libgdata do not verify SSL certs
Date: Thu, 15 Mar 2012 00:28:10 +0100
[Message part 1 (text/plain, inline)]
Version: 0.11.1-1
On 15.03.2012 00:18, Luciano Bello wrote:
> Package: libgdata
> Severity: grave
> Tags: security patch
> 
> The following vulnerability had been reported against libgdata: 
> http://www.openwall.com/lists/oss-security/2012/03/14/3
> 
> The upstream patch:
> http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
> http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c
> 
> Please use CVE-2012-1177 for this issue. Since the bug affects other 
> applications (like evolution) and looks quite important, please contact the 
> security team if it also affects stable.

Fixed in the just uploaded 0.11.1-1


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Thu, 15 Mar 2012 00:21:05 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Thu, 15 Mar 2012 00:21:05 GMT) Full text and rfc822 format available.

Message #15 received at 664032-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 664032-close@bugs.debian.org
Subject: Bug#664032: fixed in libgdata 0.10.2-1
Date: Thu, 15 Mar 2012 00:19:45 +0000
Source: libgdata
Source-Version: 0.10.2-1

We believe that the bug you reported is fixed in the latest version of
libgdata, which is due to be installed in the Debian FTP archive:

gir1.2-gdata-0.0_0.10.2-1_amd64.deb
  to main/libg/libgdata/gir1.2-gdata-0.0_0.10.2-1_amd64.deb
libgdata-common_0.10.2-1_all.deb
  to main/libg/libgdata/libgdata-common_0.10.2-1_all.deb
libgdata-dev_0.10.2-1_amd64.deb
  to main/libg/libgdata/libgdata-dev_0.10.2-1_amd64.deb
libgdata-doc_0.10.2-1_all.deb
  to main/libg/libgdata/libgdata-doc_0.10.2-1_all.deb
libgdata13_0.10.2-1_amd64.deb
  to main/libg/libgdata/libgdata13_0.10.2-1_amd64.deb
libgdata_0.10.2-1.debian.tar.gz
  to main/libg/libgdata/libgdata_0.10.2-1.debian.tar.gz
libgdata_0.10.2-1.dsc
  to main/libg/libgdata/libgdata_0.10.2-1.dsc
libgdata_0.10.2.orig.tar.xz
  to main/libg/libgdata/libgdata_0.10.2.orig.tar.xz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated libgdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Mar 2012 00:51:18 +0100
Source: libgdata
Binary: libgdata13 libgdata-common libgdata-dev libgdata-doc gir1.2-gdata-0.0
Architecture: source all amd64
Version: 0.10.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 gir1.2-gdata-0.0 - GObject introspection data for the GData webservices library
 libgdata-common - Library for accessing GData webservices - common data files
 libgdata-dev - Library for accessing GData webservices - development files
 libgdata-doc - Library for accessing GData webservices - documentation
 libgdata13 - Library for accessing GData webservices - shared libraries
Closes: 664032
Changes: 
 libgdata (0.10.2-1) unstable; urgency=high
 .
   * New upstream release.
     - Correctly validate SSL certificates for all connections to prevent MitM
       attacks which use spoofed SSL certificates. Closes: #664032
       CVE-2012-1177
   * Urgency high for the security fix.
Checksums-Sha1: 
 c86d69a357fc678865bbf1684a9bd5edc5999e30 2747 libgdata_0.10.2-1.dsc
 07b8236cb86abe62146b590133b084ee161a46a2 1129804 libgdata_0.10.2.orig.tar.xz
 60015325b07a0d3418ca0da6f88658e70b1b73ef 9927 libgdata_0.10.2-1.debian.tar.gz
 14ca6a88c3684c3f903a8ee31572bc61a1dec535 249012 libgdata-common_0.10.2-1_all.deb
 da6af8343876edce63e9a343a5a944e2a81ce4b0 653876 libgdata-doc_0.10.2-1_all.deb
 ca7ae5b64455071f7a7ff54218a8642eeaa9bfce 401436 libgdata13_0.10.2-1_amd64.deb
 e822db1e6ad095beb7370e6a93d0a303a09533aa 662470 libgdata-dev_0.10.2-1_amd64.deb
 36676cfec628a371130f078c2e902ed690c6fce9 187902 gir1.2-gdata-0.0_0.10.2-1_amd64.deb
Checksums-Sha256: 
 323a0033e91fcbdda218814a86f6b852828008f4a57b2c36b7fcd50e5f7d107b 2747 libgdata_0.10.2-1.dsc
 c028f3f39796fe6cc4841413b95a6c470350166ec8b520d17e6f4ff666f32c4e 1129804 libgdata_0.10.2.orig.tar.xz
 b3e7f2a5b52bc353031be4a711970608bf09a4f0e23e259b1f695d3424abdb43 9927 libgdata_0.10.2-1.debian.tar.gz
 8bd5a121608028dfa0fd4752a25f4503f97a5f603d88c9fc561a63d7772c3c96 249012 libgdata-common_0.10.2-1_all.deb
 9127bc539677d86af3ec85c1927cb3a3901708fb10bd45e9fbd35b45aa4c060d 653876 libgdata-doc_0.10.2-1_all.deb
 924ef70fe7d395efb10e6720cbbb95f1bb0c783c7893ab3f8370949a856052d9 401436 libgdata13_0.10.2-1_amd64.deb
 6c872d05e66ceb7acfd3d518865bd716542441fe0dfc21aa68f779649a948edb 662470 libgdata-dev_0.10.2-1_amd64.deb
 f44d9cac45c5fe33b4bf18c4fec771c5d5a6ea59489a0e971f84bd2d438babaf 187902 gir1.2-gdata-0.0_0.10.2-1_amd64.deb
Files: 
 68d62840b39c3561d580d762fc829157 2747 libs optional libgdata_0.10.2-1.dsc
 6df3ee0e50c36e918b11d835ec17d4f6 1129804 libs optional libgdata_0.10.2.orig.tar.xz
 5d42e50942dddb912fa74c45ac3f7d01 9927 libs optional libgdata_0.10.2-1.debian.tar.gz
 7f99c8bb343ec1ad12d3db4b72b65b34 249012 libs optional libgdata-common_0.10.2-1_all.deb
 f1ac8100897782f9e2aa64b694f9dee1 653876 doc optional libgdata-doc_0.10.2-1_all.deb
 aec5f032474208c8c0aa3aa80b69cd95 401436 libs optional libgdata13_0.10.2-1_amd64.deb
 9a63538520240d84348ab9175cf95744 662470 libdevel optional libgdata-dev_0.10.2-1_amd64.deb
 9089100784cebaa50713023ce777e9fd 187902 introspection optional gir1.2-gdata-0.0_0.10.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPYTDvAAoJEGrh3w1gjyLcmRoP/2/+zn/qOO528cMfKivlgAnN
V07C2aLoS31b+iTUC62zpqxDcmHhtJ9TMDFddRAPTalfxf7Z6MEEiioQHRxY6LDB
epmkTKypEj6VRP9hd4pAOAZioIhteU2mUlNFVNqcy2qANd9okzDanmgQN0mW7/rs
ERTbeNg9JchrCjUS/gOc1OhnWH+yE2CLl5311lVt4CVLWtyPHer+zfcIATDaIZK6
xy4Ca+dRk3RRuY/UkCKUBNrJ8yvWc+tVDDmSWV6+eFfAz9V4OeEMmbpI3PS6fUiy
PpTIUh+en0ZikQkeEnlJiN+ueqsloCZpdABVTplrgzifjPSQI2Xl3dB/asQcSp9d
5Aonjc3ONKafW4llotDiaQB8HsrXiAlEe1R674zMYwZlKyuOv10ghXAk45ijea/q
X1k8b4dBXNLF+E8VPplApk3lqPe8z3VsvjYAGlhwE3tNE3sNEIplEk177lgWIdKT
A4JIeOnD63Kt+pzQRyXOE8XDsqCgAW8FODRjE1vQzHrWXxucCmKH01o9z2wi9KWh
ixfrE9MCJli1gOBMOc3ms27y6A6c+h/DByCWpU31YUaiHj4FHzcuFGrt4vVm0CXo
G42kgyBjS3kCDPWhmVvLji26VHNLRM74AdYVGOxkdewZmYYvhhTrLWauWPOvOkjD
iTzd9h0ITq6sltgAQL6S
=xUpt
-----END PGP SIGNATURE-----





Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Mon, 04 Jun 2012 20:51:13 GMT) Full text and rfc822 format available.

Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Mon, 04 Jun 2012 20:51:13 GMT) Full text and rfc822 format available.

Message #20 received at 664032-close@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 664032-close@bugs.debian.org
Subject: Bug#664032: fixed in libgdata 0.6.4-2+squeeze1
Date: Mon, 04 Jun 2012 20:49:14 +0000
Source: libgdata
Source-Version: 0.6.4-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
libgdata, which is due to be installed in the Debian FTP archive:

gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
libgdata-common_0.6.4-2+squeeze1_all.deb
  to main/libg/libgdata/libgdata-common_0.6.4-2+squeeze1_all.deb
libgdata-dev_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/libgdata-dev_0.6.4-2+squeeze1_amd64.deb
libgdata-doc_0.6.4-2+squeeze1_all.deb
  to main/libg/libgdata/libgdata-doc_0.6.4-2+squeeze1_all.deb
libgdata7_0.6.4-2+squeeze1_amd64.deb
  to main/libg/libgdata/libgdata7_0.6.4-2+squeeze1_amd64.deb
libgdata_0.6.4-2+squeeze1.diff.gz
  to main/libg/libgdata/libgdata_0.6.4-2+squeeze1.diff.gz
libgdata_0.6.4-2+squeeze1.dsc
  to main/libg/libgdata/libgdata_0.6.4-2+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated libgdata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 30 May 2012 15:57:52 +0200
Source: libgdata
Binary: libgdata7 libgdata-common libgdata-dev libgdata-doc gir1.0-gdata-0.0
Architecture: source all amd64
Version: 0.6.4-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>, Sebastian Dröge <slomo@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 gir1.0-gdata-0.0 - Description: GObject introspection data for the GData webservices
 libgdata-common - Library for accessing GData webservices - common data files
 libgdata-dev - Library for accessing GData webservices - development files
 libgdata-doc - Library for accessing GData webservices - documentation
 libgdata7  - Library for accessing GData webservices - shared libraries
Closes: 664032
Changes: 
 libgdata (0.6.4-2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches:
     - 01_validate-ssl-certificates added, backported from upstream.
       Enforce validation of SSL certificates against the system root CAs
       This is CVE-2012-1177.                                    closes: #664032
Checksums-Sha1: 
 707c5b9e28f565e76b177eb97d009b9c41d7d7ef 2345 libgdata_0.6.4-2+squeeze1.dsc
 ddabddaa64cec2e36c2b49ff686295f2f6234a81 1309917 libgdata_0.6.4.orig.tar.gz
 46087b4a5513cb94a0a20696346ec1724610633c 4080 libgdata_0.6.4-2+squeeze1.diff.gz
 094531f068379154131950ea7f796fed2985d00a 100090 libgdata-common_0.6.4-2+squeeze1_all.deb
 830465c560dc727c8f6cc44fc902ed8e0018f0da 393972 libgdata-doc_0.6.4-2+squeeze1_all.deb
 7d88b5f7699ae2a98312ad0ccebea6785a8876fd 239456 libgdata7_0.6.4-2+squeeze1_amd64.deb
 7b14155c5b483374623881dd2db97f2aa47eccdb 372292 libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 3603b567afbbdea1c0b4d86bf33f6939b11fadd9 86930 gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
Checksums-Sha256: 
 b48d34eb8b7814ff8b4a90f29a7590edc4abe18dc077750857fc6b387bbd56b6 2345 libgdata_0.6.4-2+squeeze1.dsc
 248c4073e8445f36b2e0d63f89c7817dc31e84ba8cc228986e2ca10416f69c42 1309917 libgdata_0.6.4.orig.tar.gz
 77bcd4b3d925e765b391bd2641b6eae2a76bd449db569965ecac6ca6b44da557 4080 libgdata_0.6.4-2+squeeze1.diff.gz
 ee8166f3b9791e253df3da73594d525fea7861623b86465ded4c0e789d279e39 100090 libgdata-common_0.6.4-2+squeeze1_all.deb
 34765bad8cc544577fc8991b77b9a1a69752301744319b8ecfab0bcd6b7ebb05 393972 libgdata-doc_0.6.4-2+squeeze1_all.deb
 17b99ea1583d4133dc4302803c90ae7f8494585609cc6a84ee33cfa42cf6aae1 239456 libgdata7_0.6.4-2+squeeze1_amd64.deb
 d282a559292d9cd9f0616f47bc32c173c2c91d29a6b7fbd525a10abd95d1146c 372292 libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 774b27db2b22e304b12631f1c8bac4381fe12244fc594ba6d91b479b17b549f1 86930 gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb
Files: 
 3b229821fa252a8f99e1673594a0cef4 2345 libs optional libgdata_0.6.4-2+squeeze1.dsc
 9636dda6c8839089b18d417b190e3c1c 1309917 libs optional libgdata_0.6.4.orig.tar.gz
 58432804910888bb6d24625896b5d36a 4080 libs optional libgdata_0.6.4-2+squeeze1.diff.gz
 d5356c8388b00e3e844edfd42e18cc40 100090 libs optional libgdata-common_0.6.4-2+squeeze1_all.deb
 bb3f77d64462985d94250c05ea75218b 393972 doc optional libgdata-doc_0.6.4-2+squeeze1_all.deb
 5f6fd7a49f8611bdf549cdaa024d5e69 239456 libs optional libgdata7_0.6.4-2+squeeze1_amd64.deb
 60d22121a828cd88ee32ed8d2931e6ef 372292 libdevel optional libgdata-dev_0.6.4-2+squeeze1_amd64.deb
 f88f346496903249a3ade11c1a1f6edb 86930 libs optional gir1.0-gdata-0.0_0.6.4-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPxikUAAoJEDBVD3hx7wuoRkwP/2ofmWta3mqW+l7wyt7lUYF7
Lu5NxkwiwPSB4vJB5UVEQH8CnHmJxx8amBp+MDsiOcuvpVu/24ubaG7UWUZPg0x/
PxgMkvHJQXTs+7Xjf6DdRO07U7pa6cyWtt++QX0k7xPVX1vbFPwafNRGt7ctAjjy
WoHgPDtycYY01T61nKD/5misr2lxmJtlCeGEbzzgsQkaTrw1Qxjz/28WJGM/3/oT
CrUaIT22XcKDWMHb4m3D8Q6IQkecTTvC5IuILY74anlc0f+JV0+kyV+3RPeim0fQ
M6D9gbg3uQDajmIZmfYyPHEBemhaNtEG3XthyOWP7iy4BWLKisu9mFusLGMewaCo
BzxescAfk/bpzz8T8xVKwlSs+gSU3y7qDO9TtGtsHOTHvrABWQzTlopaxvEfekby
HW7rhQGoiC7ymO49E9Lip2d5e73JXIHmDSa3VubTEkVCjhOc5Hc+C+pyJqR7y/5V
KmcfzTwnOd/awQ+sheX+vtyCd38fq5RSgpRrtRbaZjQi0jlt4EmqcfkoFLuGwgKu
O30A+d54NMxKacS3krD/wTj+pCcusc7utV3DM6rs9t/RDn/q6zjeGCOBYGYz5J/D
bS+6H0kSFOBoUjNFDPpIY0GirW+PX6wK0JRqlOs+iPCTWL4nU8vbLFTju263kwDD
6KmIetfUrVD7J1nO7HaQ
=uIA0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:28:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:13:46 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.