Bug 643408 (CVE-2010-3900)

Summary: CVE-2010-3900 Midori: When used with WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 does not verify X.509 certificates
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kevin, maxamillion
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-24 15:39:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-10-15 14:25:58 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3900 to
the following vulnerability:

Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before
2.29.91 is used, does not verify X.509 certificates, which allows
man-in-the-middle attackers to spoof arbitrary https web sites via a
crafted server certificate, a related issue to CVE-2010-3312.

References:
[1] http://www.openwall.com/lists/oss-security/2010/09/17/6
[2] http://www.omgubuntu.co.uk/2010/05/midori-0-2-5-released/
[3] http://www.twotoasts.de/bugs/index.php?do=details&task_id=743
[4] http://git.xfce.org/apps/midori/tree/ChangeLog
[5] http://www.twotoasts.de/bugs/index.php?do=details&task_id=168
[6] http://www.twotoasts.de/index.php?/archives/30-Validation,-vending-and-Vala.html

Note: 
=====
The current versions of midori packages, as shipped with Fedora release
of 12 and 13 are already upstream v0.2.6 based (soon these will be v0.2.8
upstream version based), so it is possible this flaw was already fixed.

If that is the case, please provide the link to upstream changeset
addressing the issue and close this bug with "CURRENTRELEASE".
Comment 1 Kevin Fenzi 2010-10-15 15:27:22 UTC 
I think this is fixed by: 

http://git.xfce.org/apps/midori/commit/?id=2507f971caa0d556164e09a6e5bbbaa1248119a0
Comment 2 Tomas Hoger 2010-10-18 14:59:37 UTC 
Similar bug for epiphany - bug #636933.
Comment 3 Vincent Danen 2015-08-24 15:39:40 UTC 
Current Fedora has midori 0.5.10 which should be fixed.