Bug 922895

Summary: VUL-0: CVE-2015-2330: webkit: WebKitGTK+ late TLS certificate verification
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Federico Mena Quintero <federico>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: sreeves
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-2330:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2015-2330:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-03-18 10:01:57 UTC
via oss-sec


From: Michael Catanzaro <mcatanzaro@igalia.com>
Subject: [oss-security] CVE Request: WebKitGTK+ late TLS certificate verification


WebKitGTK+ [1] prior to 2.7.92 performed TLS certificate verification
too late, after sending an HTTP request rather than before. The issue
may be corrected for WebKitGTK+ 2.6.5 and WebKitGTK+ 2.4.8 using the
patch at [2]. Applications are affected if they use the WebKit2GTK+ API
with WEBKIT_TLS_ERRORS_POLICY_FAIL. (This policy is the default in
WebKitGTK+ 2.6.2 and later; applications using earlier versions of
WebKitGTK+ must opt-in to certificate verification failures by calling
webkit_web_context_set_tls_errors_policy.) Applications using the
original WebKitGTK+ 1 API are unaffected because they must handle
certificate verification themselves.

Please assign a CVE for this issue.



[1] http://webkitgtk.org/
Comment 1 Scott Reeves 2015-03-18 22:05:41 UTC
Federico - can you add this on top of the pending 2.4.4 upgrade...
Comment 2 Scott Reeves 2015-03-18 22:06:39 UTC
(In reply to Scott Reeves from comment #1)
> Federico - can you add this on top of the pending 2.4.4 upgrade...

Comment 3 Swamp Workflow Management 2015-03-18 23:00:21 UTC
bugbot adjusting priority
Comment 4 Federico Mena Quintero 2015-03-19 02:12:25 UTC
Yes, let me see if the CVE is public in the webkit commits yet.
Comment 5 Federico Mena Quintero 2015-03-19 23:20:40 UTC
Pulling in the patch from upstream.
Comment 6 Federico Mena Quintero 2015-03-21 01:18:43 UTC
Submitted an updated webkitgtk-2.4.8 to the IBS with request id 53642.