oss-security - CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20120503152702.GC6227@suse.de>
Date: Thu, 3 May 2012 17:27:02 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Hi,

The libsoup SSL certificate checking problem Ludwig exposed is drawing some
circles.

I started looking at the libsoup users, first one is evolution-data-server,

None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes.

In version 2.28 these are.
	Groupwise protocol handling (server/groupwise/e-gw-connection.c)
	Exchange protocol handling (server/exchange/lib/e2k-context.c)
	Google (servers/google/libgdata-google/gdata-google-service.c)
	calendar/backends/http/e-cal-backend-http.c
	calendar/backends/caldav/e-cal-backend-caldav.c

I do not fully understand the correct solution to this yet though, whether we need
to pass in additional flags, or evaluate the "trusted" flag after the connect.

https://bugzilla.novell.com/show_bug.cgi?id=760517

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.