Red Hat Bugzilla – Bug 1204653
CVE-2015-2330 webkitgtk: TLS certificate late verification
Last modified: 2016-11-02 14:03:51 EDT
It was found that WebKitGTK+ version 2.7.92 and earlier performed TLS certificate verification too late, after sending an HTTP request rather than before. Applications are affected if they use the WebKit2GTK+ API with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in WebKitGTK+ 2.6.2 and later; applications using earlier versions of WebKitGTK+ must opt-in to certificate verification failures by calling webkit_web_context_set_tls_errors_policy.) Applications using the original WebKitGTK+ 1 API are unaffected because they must handle certificate verification themselves.
Created webkitgtk tracking bugs for this issue: Affects: epel-7 [bug 1204658]
Created mingw-webkitgtk tracking bugs for this issue: Affects: epel-7 [bug 1204657]
Created mingw-webkitgtk tracking bugs for this issue: Affects: fedora-all [bug 1204654] Created webkitgtk tracking bugs for this issue: Affects: fedora-all [bug 1204655]
Turns out the versioning in Fedora is a bit different and the tracking bugs for Fedora and EPEL should not have been filed: Fedora and EPEL-7 contain webkitgtk, webkitgtk3, and webkitgtk4. webkitgtk3 and webkitgtk are the same sources with the latter being built as a version for gtk+-2.0 with disabled webkit2. On F21, webkitgtk3 WebKit2 is disabled due to the existence of webkitgtk4. To summarize: F22, F23: webkitgtk4 fix included in the 2.7.92 update F21: webkitgtk4 (webkitgtk3 unaffected because of --disable-webkit2) F20: webkitgtk3 (webkitgtk4 does not exist yet) RHEL 6 ships WebKitGTK version 1, which is not affected by this flaw. RHEL 7 does ship the affected version of WebKitGTK.
Upstream patch: http://trac.webkit.org/changeset/181074 Webkit connects to the get-headers callback from libsoup, where it verifies the identity of the SSL connection, but by this time it has already started exchange of private data. In gvfs-ftps verification is done from "notify::tls-errors" before any private data is really sent. Evolution has a complicated mechanism for handling this. It connects to the "network-event" signal, and then when the handshake occurs, casts the connection to a GTlsConnection, and connects to the accept-certificate callback. Therefore evolution is not affected by this issue.
Statement: This issue affects the version of webkitgtk3 package as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact, a future update may address this flaw. This issue does not affect the version of webkitgtk package as shipped with Red Hat Enterprise Linux 6.