From 86099963e926261b55d40c8dfd6f39a8955c7e09 Mon Sep 17 00:00:00 2001
From: programmer12 <964969108@qq.com>
Date: Mon, 15 Nov 2021 11:33:57 +0800
Subject: [PATCH] CVE-2021-39358

(cherry picked from commit a671f012160120408e86b3341003dbe6d013922a)
---
 CVE-2021-39358.patch | 33 +++++++++++++++++++++++++++++++++
 gfbgraph.spec        |  7 ++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-39358.patch

diff --git a/CVE-2021-39358.patch b/CVE-2021-39358.patch
new file mode 100644
index 0000000..c1deae8
--- /dev/null
+++ b/CVE-2021-39358.patch
@@ -0,0 +1,33 @@
+From a7d3d5cbf64647c1ed8978b2a33a3be35f888129 Mon Sep 17 00:00:00 2001
+From: "Douglas R. Reno" <renodr@linuxfromscratch.org>
+Date: Wed, 15 Sep 2021 17:40:00 +0000
+Subject: [PATCH] Fix CVE-2021-39358 by forcing TLS certificate
+validation
+
+This is similar to the fix performed in other packages. See
+https://gitlab.gnome.org/Teams/Releng/security/-/issues/57 for more
+details.
+
+Tested on Linux From Scratch 11.0 and on Debian 11.
+
+Fixes #17
+
+---
+ gfbgraph/gfbgraph-photo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/gfbgraph/gfbgraph-photo.c b/gfbgraph/gfbgraph-photo.c
+index 1e8955c..f6281a6 100644
+--- a/gfbgraph/gfbgraph-photo.c
++++ b/gfbgraph/gfbgraph-photo.c
+@@ -424,6 +424,7 @@ gfbgraph_photo_download_default_size (GFBGraphPhoto *photo, GFBGraphAuthorizer *
+ 
+         session = soup_session_sync_new ();
+         requester = soup_requester_new ();
++	 g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+         soup_session_add_feature (session, SOUP_SESSION_FEATURE (requester));
+ 
+         request = soup_requester_request (requester, priv->source, error);
+-- 
+2.27.0
+
diff --git a/gfbgraph.spec b/gfbgraph.spec
index 750148d..3047380 100644
--- a/gfbgraph.spec
+++ b/gfbgraph.spec
@@ -1,10 +1,11 @@
 Name:                gfbgraph
 Version:             0.2.4
-Release:             1
+Release:             2
 Summary:             GLib/GObject wrapper for the Facebook Graph API
 License:             LGPLv2+
 URL:                 https://wiki.gnome.org/Projects/GFBGraph
 Source0:             https://download.gnome.org/sources/gfbgraph/0.2/gfbgraph-%{version}.tar.xz
+Patch0:              CVE-2021-39358.patch
 BuildRequires:       pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0)
 BuildRequires:       pkgconfig(goa-1.0) gobject-introspection-devel gtk-doc pkgconfig(json-glib-1.0)
 BuildRequires:       pkgconfig(libsoup-2.4) pkgconfig(rest-0.7)
@@ -22,6 +23,7 @@ developing applications that use gfbgraph.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 sh autogen.sh
@@ -60,6 +62,9 @@ rm -rf $RPM_BUILD_ROOT%{_prefix}/doc
 %{_includedir}/gfbgraph-0.2/gfbgraph
 
 %changelog
+* Mon Nov 15 2021 liwu <liwu13@huawei.com> - 0.2.4-2
+- Fix CVE-2021-39358
+
 * Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 0.2.4-1
 - Upgrade to 0.2.4
 
-- 
Gitee