Re: CVE Request: evolution-data-server lacks SSL checking in its libsoup users

[Marcus Meissner <meissner () suse de>]

On Fri, May 04, 2012 at 10:03:20AM -0600, Kurt Seifried wrote:
> On 05/04/2012 02:30 AM, Steve Beattie wrote:
> > On Fri, May 04, 2012 at 10:03:11AM +0200, Marcus Meissner wrote:
> > > This was already reported: 
> > > https://bugzilla.gnome.org/show_bug.cgi?id=671537 
> > > https://launchpad.net/bugs/933659   (private still)
> > >
> > > so it might have a CVE already.
> >
> > I've made the launchpad bug public now. There was no CVE assigned 
> > in that report.
> >
> > Thanks.
>
> Shouldn't these all be covered by the libsoup CVE:
>
> > libsoup 2.32.2 does not verify certificates at all if an 
> > application does not explicitly specify a file with trusted root 
> > CA's. Since that libsoup version relies on the verification
> > failure to clear the trust flag it always considers ssl connections
> > as trusted in that case.
> >
> > Reference: https://bugzilla.novell.com/show_bug.cgi?id=758431
> >
> > cu Ludwig
> Please use CVE-2012-2132 for this issue.

That really depends if it is the task of libsoup or the task of the
applications I think. So who is lacking the checks...

Our opinion is that the default should be "good" in libsoup, so a CVE
is needed there in all cases.

Ciao, Marcus