From 2c6ea642663e2a44efc8583fae7c54b7b98f72b3 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Mon, 7 Jun 2021 18:51:07 -0600
Subject: [PATCH] Ensure the ssl-use-system-ca-file property is set to true on
 all SoupSessions.

The default SoupSessionSync and SoupSessionAsync behaviour does not perform any
TLS certificate validation, unless the ssl-use-system-ca-file property is set
to true.

This mitigates CVE-2016-20011.
---
 src/feed-channel.c     | 2 ++
 src/feed-enclosure.c   | 4 ++++
 src/feeds-pool.c       | 1 +
 src/feeds-publisher.c  | 4 +++-
 src/feeds-subscriber.c | 4 +++-
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/feed-channel.c b/src/feed-channel.c
index 19ca7b2..d2d51b9 100644
--- a/src/feed-channel.c
+++ b/src/feed-channel.c
@@ -973,6 +973,8 @@ quick_and_dirty_parse (GrssFeedChannel *channel, SoupMessage *msg, GList **save_
 static void
 init_soup_session (SoupSession *session, GrssFeedChannel *channel)
 {
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	if (channel->priv->jar != NULL)
 		soup_session_add_feature (session, SOUP_SESSION_FEATURE (channel->priv->jar));
 	if (channel->priv->gzip == TRUE)
diff --git a/src/feed-enclosure.c b/src/feed-enclosure.c
index 68ebbfe..2cd8f9e 100644
--- a/src/feed-enclosure.c
+++ b/src/feed-enclosure.c
@@ -220,6 +220,8 @@ grss_feed_enclosure_fetch (GrssFeedEnclosure *enclosure, GError **error)
 	url = grss_feed_enclosure_get_url (enclosure);
 
 	session = soup_session_sync_new ();
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	msg = soup_message_new ("GET", url);
 	status = soup_session_send_message (session, msg);
 
@@ -282,6 +284,8 @@ grss_feed_enclosure_fetch_async (GrssFeedEnclosure *enclosure, GAsyncReadyCallba
 
 	task = g_task_new (enclosure, NULL, callback, user_data);
 	session = soup_session_async_new ();
+	g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+
 	msg = soup_message_new ("GET", grss_feed_enclosure_get_url (enclosure));
 	soup_session_queue_message (session, msg, enclosure_downloaded, task);
 }
diff --git a/src/feeds-pool.c b/src/feeds-pool.c
index f18f3cd..7b33956 100644
--- a/src/feeds-pool.c
+++ b/src/feeds-pool.c
@@ -178,6 +178,7 @@ grss_feeds_pool_init (GrssFeedsPool *node)
 	memset (node->priv, 0, sizeof (GrssFeedsPoolPrivate));
 	node->priv->parser = grss_feed_parser_new ();
 	node->priv->soupsession = soup_session_async_new ();
+	g_object_set (G_OBJECT (node->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
 }
 
 /**
diff --git a/src/feeds-publisher.c b/src/feeds-publisher.c
index 427a54f..500cd96 100644
--- a/src/feeds-publisher.c
+++ b/src/feeds-publisher.c
@@ -888,8 +888,10 @@ create_and_run_server (GrssFeedsPublisher *pub)
 {
 	SoupAddress *soup_addr;
 
-	if (pub->priv->soupsession == NULL)
+	if (pub->priv->soupsession == NULL) {
 		pub->priv->soupsession = soup_session_async_new ();
+		g_object_set (G_OBJECT (pub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+	}
 
 	soup_addr = soup_address_new_any (SOUP_ADDRESS_FAMILY_IPV4, pub->priv->port);
 	pub->priv->server = soup_server_new ("port", pub->priv->port, "interface", soup_addr, NULL);
diff --git a/src/feeds-subscriber.c b/src/feeds-subscriber.c
index 259f891..0f63f83 100644
--- a/src/feeds-subscriber.c
+++ b/src/feeds-subscriber.c
@@ -513,8 +513,10 @@ init_run_server (GrssFeedsSubscriber *sub)
 {
 	GInetAddress *addr;
 
-	if (sub->priv->soupsession == NULL)
+	if (sub->priv->soupsession == NULL) {
 		sub->priv->soupsession = soup_session_async_new ();
+		g_object_set (G_OBJECT (sub->priv->soupsession), "ssl-use-system-ca-file", TRUE, NULL);
+	}
 
 	/*
 		Flow:
-- 
GitLab

ux platform.
* gnu/system/images/rock64.scm (rock64-image-type): Use the aarch64-linux platform.
</span></span></td><td>Mathieu Othacehe</td></tr>
<tr><td><span title='2022-05-25 09:27:25 +0200'>2022-05-25</span></td><td><a href='/guix/commit/gnu/system/images/rock64.scm?id=dab819d5c4c55609efae098c8e3c2f2757c34e5b'>Move (gnu platform) and (gnu platforms ...) to guix/.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/platform.scm:
* gnu/platforms/arm.scm:
* gnu/platforms/hurd.scm:
* gnu/platforms/mips.scm:
* gnu/platforms/powerpc.scm:
* gnu/platforms/riscv.scm:
* gnu/platforms/s390.scm:
* gnu/platforms/x86.scm: Move to guix/.

* Makefile.am:
* doc/guix.texi (Porting to a New Platform):
* etc/release-manifest.scm:
* gnu/ci.scm:
* gnu/image.scm:
* gnu/local.mk:
* gnu/packages/bioinformatics.scm:
* gnu/packages/bootstrap.scm:
* gnu/packages/cross-base.scm:
* gnu/packages/instrumentation.scm:
* gnu/packages/linux.scm:
* gnu/system/image.scm:
* gnu/system/images/hurd.scm:
* gnu/system/images/novena.scm:
* gnu/system/images/pine64.scm:
* gnu/system/images/pinebook-pro.scm:
* gnu/system/images/rock64.scm:
* guix/scripts/build.scm:
* guix/scripts/system.scm:
* guix/self.scm: Update (gnu platform...) to (guix platform...).

Signed-off-by: Mathieu Othacehe &lt;othacehe@gnu.org&gt;
</span></span></td><td>Josselin Poiret</td></tr>