From d796810f35bfeea4de895f74b6c0ff107ed04371 Mon Sep 17 00:00:00 2001
From: programmer12 <964969108@qq.com>
Date: Tue, 16 Nov 2021 11:23:46 +0800
Subject: [PATCH] CVE-2021-39358

(cherry picked from commit 00647f51d7ec72c1c0ca95c838e7999177b3d220)
---
 CVE-2021-39358.patch | 33 +++++++++++++++++++++++++++++++++
 gfbgraph.spec        |  8 ++++++--
 2 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2021-39358.patch

diff --git a/CVE-2021-39358.patch b/CVE-2021-39358.patch
new file mode 100644
index 0000000..c1deae8
--- /dev/null
+++ b/CVE-2021-39358.patch
@@ -0,0 +1,33 @@
+From a7d3d5cbf64647c1ed8978b2a33a3be35f888129 Mon Sep 17 00:00:00 2001
+From: "Douglas R. Reno" <renodr@linuxfromscratch.org>
+Date: Wed, 15 Sep 2021 17:40:00 +0000
+Subject: [PATCH] Fix CVE-2021-39358 by forcing TLS certificate
+validation
+
+This is similar to the fix performed in other packages. See
+https://gitlab.gnome.org/Teams/Releng/security/-/issues/57 for more
+details.
+
+Tested on Linux From Scratch 11.0 and on Debian 11.
+
+Fixes #17
+
+---
+ gfbgraph/gfbgraph-photo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/gfbgraph/gfbgraph-photo.c b/gfbgraph/gfbgraph-photo.c
+index 1e8955c..f6281a6 100644
+--- a/gfbgraph/gfbgraph-photo.c
++++ b/gfbgraph/gfbgraph-photo.c
+@@ -424,6 +424,7 @@ gfbgraph_photo_download_default_size (GFBGraphPhoto *photo, GFBGraphAuthorizer *
+ 
+         session = soup_session_sync_new ();
+         requester = soup_requester_new ();
++	 g_object_set (G_OBJECT (session), "ssl-use-system-ca-file", TRUE, NULL);
+         soup_session_add_feature (session, SOUP_SESSION_FEATURE (requester));
+ 
+         request = soup_requester_request (requester, priv->source, error);
+-- 
+2.27.0
+
diff --git a/gfbgraph.spec b/gfbgraph.spec
index d710fdc..1000494 100644
--- a/gfbgraph.spec
+++ b/gfbgraph.spec
@@ -1,10 +1,11 @@
 Name:                gfbgraph
 Version:             0.2.3
-Release:             1
+Release:             2
 Summary:             GLib/GObject wrapper for the Facebook Graph API
 License:             LGPLv2+
 URL:                 https://wiki.gnome.org/Projects/GFBGraph
 Source0:             https://download.gnome.org/sources/gfbgraph/0.2/gfbgraph-%{version}.tar.xz
+Patch0:              CVE-2021-39358.patch
 BuildRequires:       pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0)
 BuildRequires:       pkgconfig(goa-1.0) gobject-introspection-devel gtk-doc pkgconfig(json-glib-1.0)
 BuildRequires:       pkgconfig(libsoup-2.4) pkgconfig(rest-0.7)
@@ -21,7 +22,7 @@ The gfbgraph-devel package contains libraries and header files for
 developing applications that use gfbgraph.
 
 %prep
-%setup -q
+%autosetup -n %{name}-%{version} -p1 
 
 %build
 %configure \
@@ -59,5 +60,8 @@ rm -rf $RPM_BUILD_ROOT%{_prefix}/doc
 %{_includedir}/gfbgraph-0.2/gfbgraph
 
 %changelog
+* Tue Nov 16 2021 liwu <liwu13@huawei.com> - 0.2.3-2
+- Fix CVE-2021-39358
+
 * Mon Jul 20 2020 yaokai <yaokai13@huawei.com> - 0.2.3-1
 - package init
-- 
Gitee