Bug 997861 (CVE-2016-1000033) - VUL-1: CVE-2016-1000033 shotwell: TLS certificates are not validated when publishing photos to external services
Summary: VUL-1: CVE-2016-1000033 shotwell: TLS certificates are not validated when pub...
Status: RESOLVED FIXED
Alias: CVE-2016-1000033
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Minor
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172443/
Whiteboard: CVSSv2:RedHat:CVE-2016-1000033:2.6:(...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-08 09:30 UTC by Victor Pereira
Modified: 2016-09-08 15:06 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-08 09:30:07 UTC 
rh#1291361

It was discovered that shotwell did not validate TLS certificates when publishing photos and logging into Facebook, Flickr, etc.

Upstream patches can be found here:

https://bugzilla.gnome.org/show_bug.cgi?id=751709

References:
https://bugzilla.gnome.org/show_bug.cgi?id=754488
https://bugzilla.redhat.com/show_bug.cgi?id=1291361
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000033
Comment 1 Bjørn Lie 2016-09-08 09:41:23 UTC 
Pretty sure we have them already :-)

bjolie@drude:~> osc ls openSUSE:Leap:42.1:Update shotwell
_link
# -> openSUSE:Leap:42.1:Update shotwell.4813 (latest)
_service
_servicedata
shotwell-0.22.0+git.20160103.tar.xz
shotwell.changes
shotwell.spec
bjolie@drude:~> osc ls openSUSE:13.2:Update shotwell
_link
# -> openSUSE:13.2:Update shotwell.4816 (latest)
_service
_servicedata
shotwell-0.22.0+git.20160103.tar.xz
shotwell.changes
shotwell.spec

bjolie@drude:~> osc ls openSUSE:Leap:42.2 shotwell
_service
_servicedata
shotwell-0.22.0+git.20160103.tar.xz
shotwell.changes
shotwell.spec


bjolie@drude:~> lookup2 shotwell
shotwell: SUSE:SLE-12-SP2:GA

That said: We could always bump shotwell to latest stable, as there is again an upstream that releases tarballs.

Factory have the latest.

bjolie@drude:~> osc ls openSUSE:Factory shotwell
shotwell-0.23.5.tar.xz
shotwell.changes
shotwell.spec
bjolie@drude:~>
Comment 2 Bjørn Lie 2016-09-08 09:45:41 UTC 
That was a lie, latest is on its way

bjolie@drude:~> osc ls GNOME:Next shotwell
_link
shotwell-0.23.6.tar.xz
shotwell.changes
shotwell.spec
# -> graphics shotwell (latest)
shotwell-0.23.6.tar.xz
shotwell.changes
shotwell.spec
bjolie@drude:~>
Comment 3 Felix Zhang 2016-09-08 10:15:05 UTC 
Hi Bjørn,

Sorry, I'm afraid we can't update shotwell for SLE12SP2 and LEAP 42.2 yet. Because it requires newer version of msgfmt than we have now..
Comment 4 Bjørn Lie 2016-09-08 10:53:15 UTC 
(In reply to Felix Zhang from comment #3)
> Hi Bjørn,
> 
> Sorry, I'm afraid we can't update shotwell for SLE12SP2 and LEAP 42.2 yet.
> Because it requires newer version of msgfmt than we have now..

Oki, but at least we have the cve fixed (someone please triple verify that), and close the bug.
Comment 5 Michael Gorse 2016-09-08 15:06:27 UTC 
I checked our tarball, and we already have the patch. Closing.