evolution calendar does not check SSL certificates

It seems a libsoup bug.

Evolution needs to tell libsoup to check the cert.

In e-cal-backend-caldav.c, line 4805, there is a call to soup_session_sync_new(). Afaik, it should be instead a call to soup_session_sync_new_with_options(), passing the SOUP_SESSION_SSL_CA_FILE pointing to the file where CA certificates are stored.

As explained clearly in http://developer.gnome.org/libsoup/stable/libsoup-client-howto.html, without such option "all SSL certificates will be accepted automatically".

Changing such line with:

cbdav->priv->session = soup_session_sync_new_with_options(SOUP_SESSION_SSL_CA_FILE, "/etc/ssl/certs/ca-certificates.crt");

should fix the problem, but I have not tested it yet, and, additionally, I have never used the libsoup library before, so I might be wrong.

There is another call in e-cal-backend-http with the same bug, this time the function used is soup_session_async_new(), and I think it should be soup_session_async_new_with_options(SOUP_SESSION_SSL_CA_FILE, "/etc/ssl/certs/ca-certificates.crt") instead. However, it does not fix the bug.

No idea whether this is the right way to pass the certificates to libsoup, or I'm missing a different call in the code.

Anyway, is anybody looking at this? I think it is a critical bug, as it allows recovering the google account user and password without effort. Many people keeps important data in his/her google account!

The bug also affects google integration with the address book. I hope to have a fix ready soon.

I attach a patch that fixes the problem on Natty. Note that the problem in the address book requires to patch libgdata. I will create a bug for it.

Thanks for the patch!

I'll take a closer look at the patches once you've looked at the address book too.

Libgdata bug was reported as #938812. Report includes patch. Please verify. Note that the wrong libsoup usage seems to affect several ubuntu applications (I'm looking at empathy with telepathy-gabble in the next hours, I will report the bug if needed).

I've sent the report upstream, thanks.

Making this report public since the issue is public elsewhere:

  https://bugzilla.gnome.org/show_bug.cgi?id=671537
  http://www.openwall.com/lists/oss-security/2012/05/04/4

The attachment "check-ssl-certificates.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Upstream fixes:

http://git.gnome.org/browse/evolution-data-server/commit/?id=969ea449d30be94f92feaa9ae5a18f83e68b2035
http://git.gnome.org/browse/evolution/commit/?id=12256b4f1cc7def560824ed5fb3c506669709a32

These went into 3.5. Precise is 3.2.3-0ubuntu6 and Quantal on 3.4.3-1ubuntu1.

In theory, this should by addressed by a security update. The problem is that adding a new option may break existing users who are using self-signed certs. We may want to default to accepting invalid certs in the security update.

This is fixed in Ubuntu 14.04 LTS and above, and older versions will not get updated because it may break existing installation.
I'm marking this bug as fixed.