Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users

[Marcus Meissner <meissner () suse de>]

On Thu, May 03, 2012 at 05:27:02PM +0200, Marcus Meissner wrote:
> Hi,
>
> The libsoup SSL certificate checking problem Ludwig exposed is drawing some
> circles.
>
> I started looking at the libsoup users, first one is evolution-data-server,
>
> None of the libsoup users there seem to handle SSL certificate trust correctly (or at all) in my eyes.
>
> In version 2.28 these are.
>       Groupwise protocol handling (server/groupwise/e-gw-connection.c)
>       Exchange protocol handling (server/exchange/lib/e2k-context.c)
>       Google (servers/google/libgdata-google/gdata-google-service.c)
>       calendar/backends/http/e-cal-backend-http.c
>       calendar/backends/caldav/e-cal-backend-caldav.c
>
> I do not fully understand the correct solution to this yet though, whether we need
> to pass in additional flags, or evaluate the "trusted" flag after the connect.
>
> https://bugzilla.novell.com/show_bug.cgi?id=760517

This was already reported:
        https://bugzilla.gnome.org/show_bug.cgi?id=671537
        https://launchpad.net/bugs/933659   (private still)

so it might have a CVE already.

Ciao, Marcus