libgdata does not validate SSL certificates

Bug #938812 reported by Vreixo Formoso on 2012-02-22
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libgdata
Fix Released
Critical
libgdata (Ubuntu)
Medium
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

When accessing google services over SSL, the certificate is not validated, which allows a MITM attack that can expose user name and password. This bug can be easily exploited using a tool such as sslsniff. At least evolution is affected by this bug (see bug #933659).

Revision history for this message
Vreixo Formoso (metalpain2002) wrote :
Changed in libgdata (Ubuntu):
status: New → Triaged
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've sent the report upstream, thanks.

visibility: private → public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "This patch fixes the problem on Natty." of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
tags: removed: patch
Revision history for this message
Vreixo Formoso (metalpain2002) wrote :

Great, thanks! Do you plan to have an ubuntu security patch for this? Would it be on next 12.04 release?

Revision history for this message
Steve Beattie (sbeattie) wrote :

A sync request to fix this for 12.04 (precise) has been issued in bug 956601.

Changed in libgdata (Ubuntu Lucid):
status: New → Confirmed
Changed in libgdata (Ubuntu Maverick):
status: New → Confirmed
Changed in libgdata (Ubuntu Natty):
status: New → Confirmed
Changed in libgdata (Ubuntu Oneiric):
status: New → Confirmed
Changed in libgdata (Ubuntu Precise):
status: Triaged → Fix Released
Changed in libgdata (Ubuntu Lucid):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Maverick):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Natty):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in libgdata (Ubuntu Precise):
importance: Undecided → Medium
Changed in libgdata:
importance: Unknown → Critical
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libgdata (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgdata - 0.5.2-0ubuntu1.1

---------------
libgdata (0.5.2-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
    - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
      certificates by creating soup session with the system CA file
    - CVE-2012-1177
 -- Steve Beattie <email address hidden> Fri, 25 May 2012 14:29:11 -0700

Changed in libgdata (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgdata - 0.8.0-0ubuntu1.1

---------------
libgdata (0.8.0-0ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: failure to verify SSL certificates (LP: #938812)
    - debian/patches/01_CVE-2012-1177.patch: cause libsoup to verify SSL
      certificates by creating soup session with the system CA file
    - CVE-2012-1177
 -- Steve Beattie <email address hidden> Fri, 25 May 2012 14:11:57 -0700

Changed in libgdata (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in libgdata (Ubuntu Oneiric):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.