libgdata SSL Certificate Validation Security Bypass Vulnerability

Bugtraq ID:	52504
Class:	Design Error
CVE:	CVE-2012-1177
Remote:	Yes
Local:	No
Published:	Mar 13 2012 12:00AM
Updated:	Apr 13 2015 09:44PM
Credit:	The vendor reported this issue.
Vulnerable:	Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 The GNOME Project libgdata 0.6 The GNOME Project libgdata 0.10 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64
Not Vulnerable:

libgdata SSL Certificate Validation Security Bypass Vulnerability

libgdata is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

libgdata 0.10 is vulnerable; other versions may also be available.

libgdata SSL Certificate Validation Security Bypass Vulnerability

An attacker can use readily available network utilities to exploit this issue.

libgdata SSL Certificate Validation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references for more information.

libgdata SSL Certificate Validation Security Bypass Vulnerability

References:

• Bug 752088 - VUL-0: libgdata doesn't validate ssl certificates for all connectio (Novell)
  
• libgdata Homepage (The GNOME Project)
  
• The relevant fix for the 0.10 branch (Gnome)