Bug 1842645 (CVE-2020-13645)

Summary: CVE-2020-13645 glib-networking: GTlsClientConnection silently ignores unset server identity
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cfergeau, danw, erik-fedora, gnome-sig, klember, manisandro, mclasen, rh-spice-bugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glib-networking 2.62.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1842646, 1842647, 1844306, 1844307    
Bug Blocks: 1842648    

Description Guilherme de Almeida Suckevicz 2020-06-01 18:55:19 UTC
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

References:
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Comment 1 Guilherme de Almeida Suckevicz 2020-06-01 18:55:39 UTC
Created glib-networking tracking bugs for this issue:

Affects: fedora-all [bug 1842646]


Created mingw-glib-networking tracking bugs for this issue:

Affects: fedora-all [bug 1842647]