From 6e0575e8d56f007c545c64b659a5f183ac0a566c Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Tue, 22 Jun 2021 14:23:43 +0200 Subject: [PATCH] + grilo-0.3.13-4 Clarify license Fix TLS not being validated correctly --- ...ld-Clarify-LGPLv2.1-or-later-license.patch | 59 +++++++++++++++++++ ...-validation-not-being-done-for-any-n.patch | 33 +++++++++++ grilo.spec | 15 ++++- 3 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 0001-build-Clarify-LGPLv2.1-or-later-license.patch create mode 100644 0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch diff --git a/0001-build-Clarify-LGPLv2.1-or-later-license.patch b/0001-build-Clarify-LGPLv2.1-or-later-license.patch new file mode 100644 index 0000000..c702dd0 --- /dev/null +++ b/0001-build-Clarify-LGPLv2.1-or-later-license.patch @@ -0,0 +1,59 @@ +From 89537b8c4bae8857078de5d084f79ffe532a7ba8 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Mon, 21 Jun 2021 14:16:37 +0200 +Subject: [PATCH 1/2] build: Clarify LGPLv2.1 or later license + +The COPYING file by itself isn't enough to know under which license the +project is released, as a combined work. + +Clarify this in the build system and the README. +--- + README.md | 5 +++++ + doc/grilo/overview.xml | 3 ++- + meson.build | 2 +- + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/README.md b/README.md +index c6fe38e..16f9453 100644 +--- a/README.md ++++ b/README.md +@@ -89,4 +89,9 @@ ninja -C build + ./build/tools/grilo-test-ui/grilo-test-ui-0.3 + ``` + ++## License ++ ++grilo is available under the [GNU Lesser General Public License v2.1 or later](https://spdx.org/licenses/LGPL-2.1-or-later.html). ++Check the sources themselves for individual copyrights and licenses. ++ + Enjoy! +diff --git a/doc/grilo/overview.xml b/doc/grilo/overview.xml +index aa169ae..52b8e41 100644 +--- a/doc/grilo/overview.xml ++++ b/doc/grilo/overview.xml +@@ -99,7 +99,8 @@ developers. + + + +-Grilo is licensed under the GNU Lesser General Public License (LGPL). ++Grilo is licensed under the GNU Lesser General Public License (LGPL) ++version 2.1 or later. + + + +diff --git a/meson.build b/meson.build +index cf12454..f76d790 100644 +--- a/meson.build ++++ b/meson.build +@@ -12,7 +12,7 @@ project('grilo', 'c', + 'c_std=gnu99', + 'warning_level=1' + ], +- license: 'LGPL 2.1', ++ license: 'LGPL-2.1-or-later', + meson_version: '>= 0.46.0') + + grilo_version = meson.project_version() +-- +2.31.1 + diff --git a/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch b/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch new file mode 100644 index 0000000..743d4bc --- /dev/null +++ b/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch @@ -0,0 +1,33 @@ +From cd2472e506dafb1bb8ae510e34ad4797f63e263e Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Mon, 21 Jun 2021 15:00:14 +0200 +Subject: [PATCH 2/2] net: Fix TLS cert validation not being done for any + network call + +The default SoupSessionAsync behaviour does not perform any TLS certificate +validation, unless the ssl-use-system-ca-file property is set to true. + +See https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ + +This mitigates CVE-2016-20011. + +Closes: #146 +--- + libs/net/grl-net-wc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libs/net/grl-net-wc.c b/libs/net/grl-net-wc.c +index 5a8e89f..5ff1d17 100644 +--- a/libs/net/grl-net-wc.c ++++ b/libs/net/grl-net-wc.c +@@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc) + wc->priv = grl_net_wc_get_instance_private (wc); + + wc->priv->session = soup_session_async_new (); ++ g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL); + wc->priv->pending = g_queue_new (); + + set_thread_context (wc); +-- +2.31.1 + diff --git a/grilo.spec b/grilo.spec index f112043..908a888 100644 --- a/grilo.spec +++ b/grilo.spec @@ -3,7 +3,7 @@ Name: grilo Version: 0.3.13 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Content discovery framework License: LGPLv2+ @@ -11,6 +11,7 @@ URL: https://wiki.gnome.org/Projects/Grilo Source0: https://download.gnome.org/sources/grilo/%{release_version}/grilo-%{version}.tar.xz BuildRequires: meson +BuildRequires: git BuildRequires: chrpath BuildRequires: gettext BuildRequires: vala >= 0.27.1 @@ -24,6 +25,11 @@ BuildRequires: gtk3-devel BuildRequires: liboauth-devel BuildRequires: totem-pl-parser-devel +# https://gitlab.gnome.org/GNOME/grilo/-/merge_requests/77 +Patch0: 0001-build-Clarify-LGPLv2.1-or-later-license.patch +# https://gitlab.gnome.org/GNOME/grilo/-/merge_requests/78 +Patch1: 0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch + %description Grilo is a framework that provides access to different sources of multimedia content, using a pluggable system. @@ -40,7 +46,7 @@ This package contains the core library and elements, as well as general and API documentation. %prep -%autosetup -p1 +%autosetup -p1 -S git %build %meson -Denable-gtk-doc=true @@ -80,6 +86,11 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/grilo-%{release_version}/plugins/ %{_datadir}/vala/ %changelog +* Tue Jun 22 2021 Bastien Nocera - 0.3.13-4 ++ grilo-0.3.13-4 +- Clarify license +- Fix TLS not being validated correctly + * Tue Jan 26 2021 Fedora Release Engineering - 0.3.13-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild