libgdata: Man-in-the-Middle attack — GLSA 201208-06

A vulnerability in libgdata could allow remote attackers to perform man-in-the-middle attacks.

Affected Packages

dev-libs/libgdata on all architectures
Affected versions < 0.8.1-r2
Unaffected versions >= 0.8.1-r2

Background

libgdata is a GLib-based library for accessing online service APIs using the GData protocol.

Description

An error in the "_gdata_service_build_session()" function of gdata-service.c prevents libgdata from properly validating certificates.

Impact

A remote attacker could perform man-in-the-middle attacks to spoof arbitrary SSL servers via a crafted certificate.

Workaround

There is no known workaround at this time.

Resolution

All libgdata users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libgdata-0.8.1-r2"
 

References

Release Date
August 14, 2012

Latest Revision
August 14, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries