packages/libzapojit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 [sync] PR-2: fix CVE-2021-39360

Browse Source 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-11-15 09:18:38 +00:00 committed by Gitee
commit b801c10f9e
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
CVE-2021-39360.patch Normal file
View File

@ -0,0 +1,43 @@
From a033fe378d1683354adc3718fbdc7c07f793206d Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Thu, 14 Oct 2021 16:55:48 +0200
Subject: [PATCH] skydrive: Guard against invalid SSL certificates
Fixes: CVE-2021-39360
https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
---
src/zpj-skydrive.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/zpj-skydrive.c b/src/zpj-skydrive.c
index c91b126..1d91d31 100644
--- a/src/zpj-skydrive.c
+++ b/src/zpj-skydrive.c
@@ -415,6 +415,7 @@ zpj_skydrive_delete_entry_id (ZpjSkydrive *self, const gchar *entry_id, GCancell
goto out;
session = soup_session_sync_new ();
+ g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
url = g_strconcat (live_endpoint, entry_id, NULL);
message = soup_message_new ("DELETE", url);
@@ -744,6 +745,7 @@ zpj_skydrive_download_file_id_to_path (ZpjSkydrive *self,
data.loop = g_main_loop_new (context, FALSE);
session = soup_session_async_new_with_options (SOUP_SESSION_USE_THREAD_CONTEXT, TRUE, NULL);
+ g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
url = g_strconcat (live_endpoint, file_id, "/content", NULL);
message = soup_message_new ("GET", url);
@@ -1291,6 +1293,7 @@ zpj_skydrive_upload_path_to_folder_id (ZpjSkydrive *self,
goto out;
session = soup_session_sync_new ();
+ g_object_set (session, SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE, NULL);
url = g_strconcat (live_endpoint, folder_id, "/files", NULL);
message = soup_message_new ("POST", url);
--
2.27.0

7
libzapojit.spec
View File

@ -1,11 +1,13 @@
Name: libzapojit Name: libzapojit
Version: 0.0.3 Version: 0.0.3
Release: 15 Release: 16
Summary: GLib/GObject wrapper for the SkyDrive and Hotmail REST APIs Summary: GLib/GObject wrapper for the SkyDrive and Hotmail REST APIs
License: LGPLv2+ License: LGPLv2+
URL: https://wiki.gnome.org/Projects/Zapojit URL: https://wiki.gnome.org/Projects/Zapojit
Source0: http://download.gnome.org/sources/libzapojit/0.0/libzapojit-%{version}.tar.xz Source0: http://download.gnome.org/sources/libzapojit/0.0/libzapojit-%{version}.tar.xz
Patch0001: CVE-2021-39360.patch
BuildRequires: gettext pkgconfig(gio-2.0) >= 2.28 pkgconfig(glib-2.0) >= 2.28 BuildRequires: gettext pkgconfig(gio-2.0) >= 2.28 pkgconfig(glib-2.0) >= 2.28
BuildRequires: pkgconfig(gobject-2.0) >= 2.28 pkgconfig(goa-1.0) BuildRequires: pkgconfig(gobject-2.0) >= 2.28 pkgconfig(goa-1.0)
BuildRequires: pkgconfig(gobject-introspection-1.0) gtk-doc intltool BuildRequires: pkgconfig(gobject-introspection-1.0) gtk-doc intltool
@ -62,5 +64,8 @@ sed --in-place --expression 's! -shared ! -Wl,--as-needed\0!g' libtool
%exclude %{_datadir}/doc/libzapojit %exclude %{_datadir}/doc/libzapojit
%changelog %changelog
* Fri Nov 12 2021 yaoxin <yaoxin30@huawei.com> - 0.0.3-16
- Fix CVE-2021-39360
* Tue Jun 9 2020 leiju <leiju4@huawei.com> - 0.0.3-15 * Tue Jun 9 2020 leiju <leiju4@huawei.com> - 0.0.3-15
- Package init - Package init