Bug 863206 (CVE-2012-4511)

Summary: CVE-2012-4511 libsocialweb: connects with flickr server without user permission
Product: [Other] Security Response Reporter: Max von Witzendorff <m.v.w>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jrusnack, maurizio.antillon, pbrobinson, rob
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard: impact=low,public=20121004,reported=20121004,source=researcher,cvss2=4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N,fedora-all/libsocialweb=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-25 13:50:24 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 865126    
Bug Blocks:    

Description Max von Witzendorff 2012-10-04 13:01:55 EDT
Description of problem:
Whenever I connect to the Internet I see libsocialweb establishing a connection with 68.142.214.24 (flickr server). I do not have a flickr account.

Version-Release number of selected component (if applicable):
libsocialweb-0.25.20-1.fc16.i686
libsocialweb-keys-0.25.20-1.fc16.noarch

How reproducible:
Always

Steps to Reproduce:
1. disconnect network
2. reconnect
3. run sudo netstat -tanp | grep libsocialweb
  
Actual results:
netstat shows the following connection:
tcp        0      0 10.51.249.72:52028          68.142.214.24:80            ESTABLISHED 1617/libsocialweb-c

Expected results:
No connections with flickr servers.

Additional info:
Kernel: 3.4.11-1.fc16.i686.PAE
68.142.214.24 is www.flickr.mud.yahoo.com
process 1617 is /usr/libexec/libsocialweb-core
I captured two packets with wireshark:
1	3.574207	10.50.122.13	68.142.214.24	HTTP
GET /services/rest/?method=flickr%2Eauth%2EcheckToken&api%5Fsig=b4182f2f96c74c51ce141ae71c5555d3&api%5Fkey=d7953dc63a9498433bfdb4287ee2694b HTTP/1.1
Host: api.flickr.com
Connection: Keep-Alive
2	5.198500	68.142.214.24	10.50.122.13	HTTP/XML
HTTP/1.1 200 OK
Date: Thu, 04 Oct 2012 15:12:54 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Length: 109
Cache-Control: private
X-Served-By: www166.flickr.mud.yahoo.com
Vary: Accept-Encoding
Content-Type: text/xml; charset=utf-8
Connection: keep-alive
<?xml version="1.0" encoding="utf-8" ?>
<rsp stat="fail">
	<err code="98" msg="Invalid auth token" />
</rsp>
Comment 1 Max von Witzendorff 2012-10-10 09:39:47 EDT
I am surprised no one seems to care about this bug, since i consider it quite a security problem when a program connects to the Internet without the user knowing it.
I am even more surprised that this hasn't been already fixed with the bugfix for this bug: bugzilla.redhat.com/show_bug.cgi?id=752022
How come I am expiring the same problem now again, only with a flickr server?
By the way I also don't understand why this library has to be a dependency of gnome-3. For me its useless.
So for anybody coming here, having the same problem as me: If you don't need this social web stuff, you can prevent it from loading with
sudo chmod a-x /usr/lib/libsocialweb/services/*
Comment 2 Peter Robinson 2012-10-10 15:53:23 EDT
Security team: This is similar to RHBZ # 752022 can you please deal?

Rob: You fixed a similar issue in the twitter plugin previously (https://bugzilla.redhat.com/show_bug.cgi?id=752022#c10) , I'm not sure if this is still your remit, if not can you point me to the correct person now?

Max: it's not that I don't care, I've only just seen this :)
Comment 3 Vincent Danen 2012-10-10 17:17:43 EDT
Created libsocialweb tracking bugs for this issue

Affects: fedora-all [bug 865126]
Comment 4 Vincent Danen 2012-10-10 17:22:17 EDT
I've hijacked this bug as a security bug and filed a tracker for Fedora, as noted above.

CVE has been requested: http://www.openwall.com/lists/oss-security/2012/10/10/10
Comment 5 Jan Lieskovsky 2012-10-11 05:30:17 EDT
The CVE identifier of CVE-2012-4511 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/10/11/1
Comment 6 Rob Bradford 2012-10-15 04:06:31 EDT
Peter: I'll fix this and spin a new release for the tarball deadline today.
Comment 7 Peter Robinson 2012-10-15 07:35:18 EDT
(In reply to comment #6)
> Peter: I'll fix this and spin a new release for the tarball deadline today.

Rob: thanks. Can you review all the socialweb providers to ensure we have no others with issues as well. We've had this once before with twitter so it would be good to ensure we get them all.
Comment 8 Rob Bradford 2012-10-15 08:43:07 EDT
Peter: This problem is subtly different to the pattern that affected twitter. I already fixed all the issues that matched the twitter pattern in the last point release.

I would also question why this package is installed by default given that nothing on a stock F17 desktop install depends on it?
Comment 9 Peter Robinson 2012-10-15 09:24:18 EDT
> I would also question why this package is installed by default given that
> nothing on a stock F17 desktop install depends on it?

gnome-online-accounts links against it
Comment 10 Rob Bradford 2012-10-15 11:01:57 EDT
That's odd - when I did "yum remove libsocialweb" it didn't threaten to remove anything else (well, except libsocialweb-keys...:-)

Anyway there is a 0.25.21 on the servers for you.
Comment 11 Fedora Update System 2012-11-22 22:09:58 EST
libsocialweb-0.25.21-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-11-22 22:10:21 EST
libsocialweb-0.25.21-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Peter Robinson 2012-11-25 13:50:24 EST
libsocialweb-0.25.21-1 has been pushed to all current releases, F-18 and rawhide