1189850 – (CVE-2021-39358) VUL-0: CVE-2021-39358: gfbgraph: missing TLS certificate verification

Bug 1189850 (CVE-2021-39358) - VUL-0: CVE-2021-39358: gfbgraph: missing TLS certificate verification

Summary: VUL-0: CVE-2021-39358: gfbgraph: missing TLS certificate verification

Status:	RESOLVED FIXED

Alias:	CVE-2021-39358

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/307799/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-39358:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-08-26 14:56 UTC by Gianluca Gabrielli
Modified:	2024-05-13 17:39 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-08-26 14:56:03 UTC

In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

References:
https://gitlab.gnome.org/GNOME/libgfbgraph/-/issues/17
https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1997139
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39358
http://www.cvedetails.com/cve/CVE-2021-39358/
https://gitlab.gnome.org/GNOME/libgfbgraph/-/issues/17
https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/

Comment 1 Gianluca Gabrielli 2021-08-26 14:56:36 UTC

Potential affected packages:
 - SUSE:SLE-15:Update/gfbgraph             0.2.3
 - openSUSE:Factory/gfbgraph               0.2.4
 - openSUSE:Backports:SLE-15-SP2/gfbgraph  0.2.3

No patch is available yet.

Comment 5 Swamp Workflow Management 2022-08-23 16:18:34 UTC

SUSE-SU-2022:2876-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1189850
CVE References: CVE-2021-39358
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    gfbgraph-0.2.3-150000.3.5.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    gfbgraph-0.2.3-150000.3.5.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    gfbgraph-0.2.3-150000.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Jia Zhaocong 2022-10-19 03:39:17 UTC

Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign back to security team.