CVE-2013-0240: fails to verify SSL certificates when creating accounts

Bug #1117411 reported by Simon McVittie on 2013-02-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-online-accounts
Fix Released
Critical
gnome-online-accounts (Debian)
Fix Released
Unknown
gnome-online-accounts (Fedora)
Fix Released
Medium
gnome-online-accounts (Ubuntu)
Undecided
Unassigned

Bug Description

See:

https://bugzilla.gnome.org/show_bug.cgi?id=693214

https://bugzilla.redhat.com/show_bug.cgi?id=894352

At the time of writing, there is no patch for the 3.6 series, only for 3.4 and 3.7.

This issue affects the versions of the gnome-online-accounts package, as shipped with Fedora release of 16 and 17.

It was found that Gnome Online Accounts (GOA) did not perform SSL certificate validation, when performing Windows Live and Facebook accounts creation. A remote attacker could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to their ability to obtain sensitive information.

Acknowledgements:

Red Hat would like to thank Simon McVittie for reporting this issue.

Created gnome-online-accounts tracking bugs for this issue

Affects: fedora-all [bug 908000]

Simon McVittie (smcv) on 2013-02-06
information type: Private Security → Public Security
Changed in gnome-online-accounts (Ubuntu):
status: New → Triaged
Changed in gnome-online-accounts:
importance: Unknown → Critical
status: Unknown → New
Changed in gnome-online-accounts (Debian):
status: Unknown → Fix Released

gnome-online-accounts-3.4.2-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Changed in gnome-online-accounts:
status: New → Fix Released

gnome-online-accounts-3.6.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-online-accounts - 3.6.2-1ubuntu1

---------------
gnome-online-accounts (3.6.2-1ubuntu1) raring; urgency=low

  * SECURITY UPDATE: incorrect ssl cert validation (LP: #1117411)
    - debian/patches/CVE-2013-0240.patch: properly validate ssl certs and
      fix cancellation in src/goa/goaenums.h, src/goa/goaerror.c,
      src/goabackend/goaewsclient.c, src/goabackend/goaewsclient.h,
      src/goabackend/goaexchangeprovider.c,
      src/goabackend/goagoogleprovider.c,
      src/goabackend/goahttpclient.*, src/goabackend/goautils.*,
      src/goabackend/goawebview.c.
    - debian/libgoa-1.0-0.symbols: updated with new symbol.
    - CVE-2013-0240
    - CVE-2013-1799
 -- Marc Deslauriers <email address hidden> Thu, 21 Mar 2013 13:22:10 -0400

Changed in gnome-online-accounts (Ubuntu):
status: Triaged → Fix Released

Just to note that CVE-2013-1799 was assigned to the incomplete fix present in 3.6.3 and 3.7.5 (I'm presuming some beta or pre-releases).

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0240 to
the following vulnerability:

Name: CVE-2013-0240
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
Assigned: 20121206
Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=894352
Reference: https://bugzilla.gnome.org/show_bug.cgi?id=693214
Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f
Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e

Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x
before 3.7.5, does not properly validate SSL certificates when
creating accounts such as Windows Live and Facebook accounts, which
allows man-in-the-middle attackers to obtain sensitive information
such as credentials by sniffing the network.

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1799 to
the following vulnerability:

Name: CVE-2013-1799
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1799
Assigned: 20130219
Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
Reference: https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00020.html
Reference: https://bugzilla.gnome.org/show_bug.cgi?id=693214
Reference: https://bugzilla.gnome.org/show_bug.cgi?id=695106
Reference: https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8

Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before
3.7.91, does not properly validate SSL certificates when creating
accounts for providers who use the libsoup library, which allows
man-in-the-middle attackers to obtain sensitive information such as
credentials by sniffing the network. NOTE: this issue exists because
of an incomplete fix for CVE-2013-0240.

I do not believe that CVE-2013-1799 affects us as we have the fixed 3.6.3 and 3.4.2 updates. Can someone confirm that this is indeed the case?

Changed in gnome-online-accounts (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.