|Summary:||CVE-2012-4511 libsocialweb: connects with flickr server without user permission|
|Product:||[Other] Security Response||Reporter:||Max von Witzendorff <m.v.w>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jlieskov, jrusnack, maurizio.antillon, pbrobinson, rob|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-11-25 18:50:24 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||865126|
Description Max von Witzendorff 2012-10-04 17:01:55 UTC
Description of problem: Whenever I connect to the Internet I see libsocialweb establishing a connection with 18.104.22.168 (flickr server). I do not have a flickr account. Version-Release number of selected component (if applicable): libsocialweb-0.25.20-1.fc16.i686 libsocialweb-keys-0.25.20-1.fc16.noarch How reproducible: Always Steps to Reproduce: 1. disconnect network 2. reconnect 3. run sudo netstat -tanp | grep libsocialweb Actual results: netstat shows the following connection: tcp 0 0 10.51.249.72:52028 22.214.171.124:80 ESTABLISHED 1617/libsocialweb-c Expected results: No connections with flickr servers. Additional info: Kernel: 3.4.11-1.fc16.i686.PAE 126.96.36.199 is www.flickr.mud.yahoo.com process 1617 is /usr/libexec/libsocialweb-core I captured two packets with wireshark: 1 3.574207 10.50.122.13 188.8.131.52 HTTP GET /services/rest/?method=flickr%2Eauth%2EcheckToken&api%5Fsig=b4182f2f96c74c51ce141ae71c5555d3&api%5Fkey=d7953dc63a9498433bfdb4287ee2694b HTTP/1.1 Host: api.flickr.com Connection: Keep-Alive 2 5.198500 184.108.40.206 10.50.122.13 HTTP/XML HTTP/1.1 200 OK Date: Thu, 04 Oct 2012 15:12:54 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Content-Length: 109 Cache-Control: private X-Served-By: www166.flickr.mud.yahoo.com Vary: Accept-Encoding Content-Type: text/xml; charset=utf-8 Connection: keep-alive <?xml version="1.0" encoding="utf-8" ?> <rsp stat="fail"> <err code="98" msg="Invalid auth token" /> </rsp>
Comment 1 Max von Witzendorff 2012-10-10 13:39:47 UTC
I am surprised no one seems to care about this bug, since i consider it quite a security problem when a program connects to the Internet without the user knowing it. I am even more surprised that this hasn't been already fixed with the bugfix for this bug: bugzilla.redhat.com/show_bug.cgi?id=752022 How come I am expiring the same problem now again, only with a flickr server? By the way I also don't understand why this library has to be a dependency of gnome-3. For me its useless. So for anybody coming here, having the same problem as me: If you don't need this social web stuff, you can prevent it from loading with sudo chmod a-x /usr/lib/libsocialweb/services/*
Comment 2 Peter Robinson 2012-10-10 19:53:23 UTC
Security team: This is similar to RHBZ # 752022 can you please deal? Rob: You fixed a similar issue in the twitter plugin previously (https://bugzilla.redhat.com/show_bug.cgi?id=752022#c10) , I'm not sure if this is still your remit, if not can you point me to the correct person now? Max: it's not that I don't care, I've only just seen this :)
Comment 3 Vincent Danen 2012-10-10 21:17:43 UTC
Created libsocialweb tracking bugs for this issue Affects: fedora-all [bug 865126]
Comment 4 Vincent Danen 2012-10-10 21:22:17 UTC
I've hijacked this bug as a security bug and filed a tracker for Fedora, as noted above. CVE has been requested: http://www.openwall.com/lists/oss-security/2012/10/10/10
Comment 5 Jan Lieskovsky 2012-10-11 09:30:17 UTC
The CVE identifier of CVE-2012-4511 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/10/11/1
Comment 6 Rob Bradford 2012-10-15 08:06:31 UTC
Peter: I'll fix this and spin a new release for the tarball deadline today.
Comment 7 Peter Robinson 2012-10-15 11:35:18 UTC
(In reply to comment #6) > Peter: I'll fix this and spin a new release for the tarball deadline today. Rob: thanks. Can you review all the socialweb providers to ensure we have no others with issues as well. We've had this once before with twitter so it would be good to ensure we get them all.
Comment 8 Rob Bradford 2012-10-15 12:43:07 UTC
Peter: This problem is subtly different to the pattern that affected twitter. I already fixed all the issues that matched the twitter pattern in the last point release. I would also question why this package is installed by default given that nothing on a stock F17 desktop install depends on it?
Comment 9 Peter Robinson 2012-10-15 13:24:18 UTC
> I would also question why this package is installed by default given that > nothing on a stock F17 desktop install depends on it? gnome-online-accounts links against it
Comment 10 Rob Bradford 2012-10-15 15:01:57 UTC
That's odd - when I did "yum remove libsocialweb" it didn't threaten to remove anything else (well, except libsocialweb-keys...:-) Anyway there is a 0.25.21 on the servers for you.
Comment 11 Fedora Update System 2012-11-23 03:09:58 UTC
libsocialweb-0.25.21-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-11-23 03:10:21 UTC
libsocialweb-0.25.21-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Peter Robinson 2012-11-25 18:50:24 UTC
libsocialweb-0.25.21-1 has been pushed to all current releases, F-18 and rawhide