Red Hat Bugzilla – Bug 863206
CVE-2012-4511 libsocialweb: connects with flickr server without user permission
Last modified: 2015-07-31 06:12:08 EDT
Description of problem:
Whenever I connect to the Internet I see libsocialweb establishing a connection with 22.214.171.124 (flickr server). I do not have a flickr account.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. disconnect network
3. run sudo netstat -tanp | grep libsocialweb
netstat shows the following connection:
tcp 0 0 10.51.249.72:52028 126.96.36.199:80 ESTABLISHED 1617/libsocialweb-c
No connections with flickr servers.
188.8.131.52 is www.flickr.mud.yahoo.com
process 1617 is /usr/libexec/libsocialweb-core
I captured two packets with wireshark:
1 3.574207 10.50.122.13 184.108.40.206 HTTP
GET /services/rest/?method=flickr%2Eauth%2EcheckToken&api%5Fsig=b4182f2f96c74c51ce141ae71c5555d3&api%5Fkey=d7953dc63a9498433bfdb4287ee2694b HTTP/1.1
2 5.198500 220.127.116.11 10.50.122.13 HTTP/XML
HTTP/1.1 200 OK
Date: Thu, 04 Oct 2012 15:12:54 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8" ?>
<err code="98" msg="Invalid auth token" />
I am surprised no one seems to care about this bug, since i consider it quite a security problem when a program connects to the Internet without the user knowing it.
I am even more surprised that this hasn't been already fixed with the bugfix for this bug: bugzilla.redhat.com/show_bug.cgi?id=752022
How come I am expiring the same problem now again, only with a flickr server?
By the way I also don't understand why this library has to be a dependency of gnome-3. For me its useless.
So for anybody coming here, having the same problem as me: If you don't need this social web stuff, you can prevent it from loading with
sudo chmod a-x /usr/lib/libsocialweb/services/*
Security team: This is similar to RHBZ # 752022 can you please deal?
Rob: You fixed a similar issue in the twitter plugin previously (https://bugzilla.redhat.com/show_bug.cgi?id=752022#c10) , I'm not sure if this is still your remit, if not can you point me to the correct person now?
Max: it's not that I don't care, I've only just seen this :)
Created libsocialweb tracking bugs for this issue
Affects: fedora-all [bug 865126]
I've hijacked this bug as a security bug and filed a tracker for Fedora, as noted above.
CVE has been requested: http://www.openwall.com/lists/oss-security/2012/10/10/10
The CVE identifier of CVE-2012-4511 has been assigned to this issue:
Peter: I'll fix this and spin a new release for the tarball deadline today.
(In reply to comment #6)
> Peter: I'll fix this and spin a new release for the tarball deadline today.
Rob: thanks. Can you review all the socialweb providers to ensure we have no others with issues as well. We've had this once before with twitter so it would be good to ensure we get them all.
Peter: This problem is subtly different to the pattern that affected twitter. I already fixed all the issues that matched the twitter pattern in the last point release.
I would also question why this package is installed by default given that nothing on a stock F17 desktop install depends on it?
> I would also question why this package is installed by default given that
> nothing on a stock F17 desktop install depends on it?
gnome-online-accounts links against it
That's odd - when I did "yum remove libsocialweb" it didn't threaten to remove anything else (well, except libsocialweb-keys...:-)
Anyway there is a 0.25.21 on the servers for you.
libsocialweb-0.25.21-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libsocialweb-0.25.21-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
libsocialweb-0.25.21-1 has been pushed to all current releases, F-18 and rawhide