Bug 863206 (CVE-2012-4511)
Summary: | CVE-2012-4511 libsocialweb: connects with flickr server without user permission | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Max von Witzendorff <m.v.w> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jlieskov, jrusnack, maurizio.antillon, pbrobinson, rob |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-25 18:50:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 865126 | ||
Bug Blocks: |
Description
Max von Witzendorff
2012-10-04 17:01:55 UTC
I am surprised no one seems to care about this bug, since i consider it quite a security problem when a program connects to the Internet without the user knowing it. I am even more surprised that this hasn't been already fixed with the bugfix for this bug: bugzilla.redhat.com/show_bug.cgi?id=752022 How come I am expiring the same problem now again, only with a flickr server? By the way I also don't understand why this library has to be a dependency of gnome-3. For me its useless. So for anybody coming here, having the same problem as me: If you don't need this social web stuff, you can prevent it from loading with sudo chmod a-x /usr/lib/libsocialweb/services/* Security team: This is similar to RHBZ # 752022 can you please deal? Rob: You fixed a similar issue in the twitter plugin previously (https://bugzilla.redhat.com/show_bug.cgi?id=752022#c10) , I'm not sure if this is still your remit, if not can you point me to the correct person now? Max: it's not that I don't care, I've only just seen this :) Created libsocialweb tracking bugs for this issue Affects: fedora-all [bug 865126] I've hijacked this bug as a security bug and filed a tracker for Fedora, as noted above. CVE has been requested: http://www.openwall.com/lists/oss-security/2012/10/10/10 The CVE identifier of CVE-2012-4511 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/10/11/1 Peter: I'll fix this and spin a new release for the tarball deadline today. (In reply to comment #6) > Peter: I'll fix this and spin a new release for the tarball deadline today. Rob: thanks. Can you review all the socialweb providers to ensure we have no others with issues as well. We've had this once before with twitter so it would be good to ensure we get them all. Peter: This problem is subtly different to the pattern that affected twitter. I already fixed all the issues that matched the twitter pattern in the last point release. I would also question why this package is installed by default given that nothing on a stock F17 desktop install depends on it?
> I would also question why this package is installed by default given that
> nothing on a stock F17 desktop install depends on it?
gnome-online-accounts links against it
That's odd - when I did "yum remove libsocialweb" it didn't threaten to remove anything else (well, except libsocialweb-keys...:-) Anyway there is a 0.25.21 on the servers for you. libsocialweb-0.25.21-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. libsocialweb-0.25.21-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. libsocialweb-0.25.21-1 has been pushed to all current releases, F-18 and rawhide |