From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Mon, 7 Jun 2021 18:51:07 -0600
Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
 all SoupSessions.

The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
TLS certificate validation, unless the ssl-use-system-ca-file property is set
to true.

This mitigates CVE-2016-20011.
---
 src/feed-channel.c     | 2 ++
 src/feed-enclosure.c   | 4 ++++
 src/feeds-pool.c       | 1 +
 src/feeds-publisher.c  | 4 +++-
 src/feeds-subscriber.c | 4 +++-
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/feed-channel.c b/src/feed-channel.c
index 19ca7b2..d2d51b9 100644
--- a/src/feed-channel.c
+++ b/src/feed-channel.c
@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_
 static void
 init_soup_session (SoupSession *session, GrssFeedChannel *channel)
 {
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	if (channel->priv->jar != NULL)
 		soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar));
 	if (channel->priv->gzip == TRUE)
diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
index 68ebbfe..2cd8f9e 100644
--- a/src/feed-enclosure.c
+++ b/src/feed-enclosure.c
@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error)
 	url = grss_feed_enclosure_get_url (enclosure);
 
 	session = soup_session_sync_new ();
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	msg = soup_message_new ("GET", url);
 	status = soup_session_send_message (session, msg);
 
@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba
 
 	task = g_task_new (enclosure, NULL, callback, user_data);
 	session = soup_session_async_new ();
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
 	soup_session_queue_message (session, msg, enclosure_downloaded, task);
 }
diff --git a/src/feeds-pool.c b/src/feeds-pool.c
index f18f3cd..7b33956 100644
--- a/src/feeds-pool.c
+++ b/src/feeds-pool.c
@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
 	memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
 	node->priv->parser = grss_feed_parser_new ();
 	node->priv->soupsession = soup_session_async_new ();
+	g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
 }
 
 /**
diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
index 427a54f..500cd96 100644
--- a/src/feeds-publisher.c
+++ b/src/feeds-publisher.c
@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
 {
 	SoupAddress *soup_addr;
 
-	if (pub->priv->soupsession == NULL)
+	if (pub->priv->soupsession == NULL) {
 		pub->priv->soupsession = soup_session_async_new ();
+		g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+	}
 
 	soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port);
 	pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL);
diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
index 259f891..0f63f83 100644
--- a/src/feeds-subscriber.c
+++ b/src/feeds-subscriber.c
@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
 {
 	GInetAddress *addr;
 
-	if (sub->priv->soupsession == NULL)
+	if (sub->priv->soupsession == NULL) {
 		sub->priv->soupsession = soup_session_async_new ();
+		g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+	}
 
 	/*
 		Flow:
-- 
GitLab

scm (make-avr-gcc): Remove uneeded phases and flags
  for multilib.
* gnu/packages/cross-base (cross-gcc-arguments) &lt;#:configure-flags&gt;
  [target-avr?]: Remove --disable-multilib and add --enable-multilib.

Change-Id: Id68d803057ac898f0a670f10487b08bf0891ab0b
Signed-off-by: Efraim Flashner &lt;efraim@flashner.co.il&gt;
</span></span></td><td>Jean-Pierre De Jesus DIAZ</td></tr>
<tr><td><span title='2023-12-11 13:24:09 +0200'>2023-12-11</span></td><td><a href='/guix/commit/gnu/packages/avr.scm?id=a075ac88544dc2d826fb972d485947201d6bd7d1'>gnu: make-avr-libc: Fix synopsis.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/avr.scm (make-avr-libc/implementation): Drop 'The' from
  synopsis.

Change-Id: Idb6c008d709a988075789a6220af63f4917c2179
Signed-off-by: Efraim Flashner &lt;efraim@flashner.co.il&gt;
</span></span></td><td>Jean-Pierre De Jesus DIAZ</td></tr>
<tr><td><span title='2023-12-11 13:24:09 +0200'>2023-12-11</span></td><td><a href='/guix/commit/gnu/packages/avr.scm?id=7d1041820c755d1e9d43d5a930cd79589ef89630'>gnu: microscheme: Move to avr-xyz.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/avr.scm (microscheme): Move to ...
* gnu/packages/avr-xyz.scm (microscheme): ... here.

Change-Id: I1272bfc98b583ab0ab36fcba5a8e19ae018b0b80
Signed-off-by: Efraim Flashner &lt;efraim@flashner.co.il&gt;
</span></span></td><td>Jean-Pierre De Jesus DIAZ</td></tr>