Ubuntu
libgdata package

libgdata does not validate SSL certificates

Bug #938812 reported by Vreixo Formoso
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libgdata
Fix Released
Critical
libgdata (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Won't Fix
Medium
Unassigned
Natty
Fix Released
Medium
Unassigned
Oneiric
Won't Fix
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff. At least evolution is affected by this bug (see bug #933659).

Revision history for this message
Vreixo Formoso (metalpain2002) wrote :
Jamie Strandboge (jdstrand)
Changed in libgdata (Ubuntu):
status: New → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've sent the report upstream, thanks.

Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "This patch fixes the problem on Natty." of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream commits:

http://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
http://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c

tags: removed: patch
Revision history for this message
Vreixo Formoso (metalpain2002) wrote :

Great, thanks! Do you plan to have an ubuntu security patch for this? Would it be on next 12.04 release?

Revision history for this message
Steve Beattie (sbeattie) wrote :

A sync request to fix this for 12.04 (precise) has been issued in bug 956601.

Marc Deslauriers (mdeslaur)
Changed in libgdata (Ubuntu Lucid):
status: New → Confirmed
Changed in libgdata (Ubuntu Maverick):
status: New → Confirmed
Changed in libgdata (Ubuntu Natty):
status: New → Confirmed
Changed in libgdata (Ubuntu Oneiric):
status: New → Confirmed
Changed in libgdata (Ubuntu Precise):
status: Triaged → Fix Released
Changed in libgdata (Ubuntu Lucid):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Maverick):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Natty):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Precise):
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in libgdata:
importance: Unknown → Critical
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libgdata (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgdata - 0.5.2-0ubuntu1.1

---------------
libgdata (0.5.2-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
    - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
      certificates by creating soup session with the system CA file
    - CVE-2012-1177
 -- Steve Beattie <email address hidden> Fri, 25 May 2012 14:29:11 -0700

Changed in libgdata (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgdata - 0.8.0-0ubuntu1.1

---------------
libgdata (0.8.0-0ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
    - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
      certificates by creating soup session with the system CA file
    - CVE-2012-1177
 -- Steve Beattie <email address hidden> Fri, 25 May 2012 14:11:57 -0700

Changed in libgdata (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libgdata (Ubuntu Oneiric):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.