diff --git a/.gfbgraph.metadata b/.gfbgraph.metadata index 518bdb8..c4ec8c9 100644 --- a/.gfbgraph.metadata +++ b/.gfbgraph.metadata @@ -1 +1 @@ -d01c2b4195641d6431c2233e17528559e1aebb42 SOURCES/gfbgraph-0.2.3.tar.xz +bba9d7149b975e59e5831fb2287ebaad98f85ec1 SOURCES/gfbgraph-0.2.4.tar.xz diff --git a/.gitignore b/.gitignore index aedbf5c..48257f6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/gfbgraph-0.2.3.tar.xz +SOURCES/gfbgraph-0.2.4.tar.xz diff --git a/SOURCES/gfbgraph-Fix-CVE-2021-39358-by-forcing-TLS-certificate-valida.patch b/SOURCES/gfbgraph-Fix-CVE-2021-39358-by-forcing-TLS-certificate-valida.patch new file mode 100644 index 0000000..4a5504e --- /dev/null +++ b/SOURCES/gfbgraph-Fix-CVE-2021-39358-by-forcing-TLS-certificate-valida.patch @@ -0,0 +1,29 @@ +From c294b06ec0f3a0b8e3f6292de962e048bbd7774a Mon Sep 17 00:00:00 2001 +From: "Douglas R. Reno" +Date: Wed, 15 Sep 2021 17:40:00 +0000 +Subject: [PATCH] Fix CVE-2021-39358 by forcing TLS certificate validation. + +This is similar to the fix performed in other packages. See https://gitlab.gnome.org/Teams/Releng/security/-/issues/57 for more details. Note that this is my first non-documentation commit to a GNOME package, but I'm a distributor and want to see this fixed. + +Tested on Linux From Scratch 11.0 and on Debian 11. + +Fixes #17 +--- + gfbgraph/gfbgraph-photo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/gfbgraph/gfbgraph-photo.c b/gfbgraph/gfbgraph-photo.c +index 69eb98db2576..2ebb9aaf8db1 100644 +--- a/gfbgraph/gfbgraph-photo.c ++++ b/gfbgraph/gfbgraph-photo.c +@@ -422,6 +422,7 @@ gfbgraph_photo_download_default_size (GFBGraphPhoto *photo, GFBGraphAuthorizer * + + session = soup_session_sync_new (); + requester = soup_requester_new (); ++ g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL); + soup_session_add_feature (session, SOUP_SESSION_FEATURE (requester)); + + request = soup_requester_request (requester, priv->source, error); +-- +2.31.1 + diff --git a/SPECS/gfbgraph.spec b/SPECS/gfbgraph.spec index 9a171b0..1e2afc1 100644 --- a/SPECS/gfbgraph.spec +++ b/SPECS/gfbgraph.spec @@ -1,22 +1,29 @@ %global api 0.2 Name: gfbgraph -Version: %{api}.3 -Release: 6%{?dist} +Version: %{api}.4 +Release: 1%{?dist} Summary: GLib/GObject wrapper for the Facebook Graph API License: LGPLv2+ -URL: http://wiki.gnome.org/GFBGraph -Source0: http://download.gnome.org/sources/%{name}/%{api}/%{name}-%{version}.tar.xz - -BuildRequires: glib2-devel -BuildRequires: gnome-online-accounts-devel +URL: https://wiki.gnome.org/Projects/GFBGraph +Source0: https://download.gnome.org/sources/%{name}/%{api}/%{name}-%{version}.tar.xz + +# https://bugzilla.redhat.com/show_bug.cgi?id=1997941 +Patch0: %{name}-Fix-CVE-2021-39358-by-forcing-TLS-certificate-valida.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: pkgconfig(gio-2.0) +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(gobject-2.0) +BuildRequires: pkgconfig(goa-1.0) BuildRequires: gobject-introspection-devel BuildRequires: gtk-doc -BuildRequires: json-glib-devel -BuildRequires: libsoup-devel -BuildRequires: pkgconfig -BuildRequires: rest-devel +BuildRequires: pkgconfig(json-glib-1.0) +BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(rest-0.7) Requires: gobject-introspection %description @@ -35,9 +42,12 @@ developing applications that use %{name}. %prep %setup -q +%patch0 -p1 %build +gtkdocize +autoreconf --install --verbose %configure \ --disable-silent-rules \ --disable-static \ @@ -47,18 +57,16 @@ developing applications that use %{name}. # Omit unused direct shared library dependencies. sed --in-place --expression 's! -shared ! -Wl,--as-needed\0!g' libtool -make %{?_smp_mflags} +%make_build %install -make install INSTALL="%{__install} -p" DESTDIR=$RPM_BUILD_ROOT +%make_install find $RPM_BUILD_ROOT -name '*.la' -delete rm -rf $RPM_BUILD_ROOT%{_prefix}/doc -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files @@ -87,6 +95,10 @@ rm -rf $RPM_BUILD_ROOT%{_prefix}/doc %changelog +* Tue Oct 12 2021 Debarshi Ray - 0.2.4-1 +- Update to 0.2.4 +Resolves: #1997941 + * Wed Feb 07 2018 Fedora Release Engineering - 0.2.3-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild