CVE-2021-39358

(cherry picked from commit a671f012160120408e86b3341003dbe6d013922a)
2021-11-15 11:33:57 +08:00 · 2021-11-15 11:33:57 +08:00 · 86099963e9
commit 86099963e9
parent 3d6dfe944d
2 changed files with 39 additions and 1 deletions
--- a/CVE-2021-39358.patch
+++ b/CVE-2021-39358.patch
@ -0,0 +1,33 @@
+From a7d3d5cbf64647c1ed8978b2a33a3be35f888129 Mon Sep 17 00:00:00 2001
+From: "Douglas R. Reno" <renodr@linuxfromscratch.org>
+Date: Wed, 15 Sep 2021 17:40:00 +0000
+Subject: [PATCH] Fix CVE-2021-39358 by forcing TLS certificate
+validation
+
+This is similar to the fix performed in other packages. See
+https://gitlab.gnome.org/Teams/Releng/security/-/issues/57 for more
+details.
+
+Tested on Linux From Scratch 11.0 and on Debian 11.
+
+Fixes #17
+
+---
+ gfbgraph/gfbgraph-photo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/gfbgraph/gfbgraph-photo.c b/gfbgraph/gfbgraph-photo.c
+index 1e8955c..f6281a6 100644
+--- a/gfbgraph/gfbgraph-photo.c
+++ b/gfbgraph/gfbgraph-photo.c
+@@ -424,6 +424,7 @@ gfbgraph_photo_download_default_size (GFBGraphPhoto *photo, GFBGraphAuthorizer *
+ 
+         session = soup_session_sync_new ();
+         requester = soup_requester_new ();
+	 g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+         soup_session_add_feature (session, SOUP_SESSION_FEATURE (requester));
+ 
+         request = soup_requester_request (requester, priv->source, error);
+-- 
+2.27.0
+
--- a/gfbgraph.spec
+++ b/gfbgraph.spec
@ -1,10 +1,11 @@
 Name:                gfbgraph
 Version:             0.2.4
-Release:             1
+Release:             2
 Summary:             GLib/GObject wrapper for the Facebook Graph API
 License:             LGPLv2+
 URL:                 https://wiki.gnome.org/Projects/GFBGraph
 Source0:             https://download.gnome.org/sources/gfbgraph/0.2/gfbgraph-%{version}.tar.xz
+Patch0:              CVE-2021-39358.patch
 BuildRequires:       pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0)
 BuildRequires:       pkgconfig(goa-1.0) gobject-introspection-devel gtk-doc pkgconfig(json-glib-1.0)
 BuildRequires:       pkgconfig(libsoup-2.4) pkgconfig(rest-0.7)
@ -22,6 +23,7 @@ developing applications that use gfbgraph.

 %prep
 %setup -q
+%patch0 -p1

 %build
 sh autogen.sh
@ -60,6 +62,9 @@ rm -rf $RPM_BUILD_ROOT%{_prefix}/doc
 %{_includedir}/gfbgraph-0.2/gfbgraph

 %changelog
+* Mon Nov 15 2021 liwu <liwu13@huawei.com> - 0.2.4-2
+- Fix CVE-2021-39358
+
 * Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 0.2.4-1
 - Upgrade to 0.2.4