Security Bug in Pidgin-2.10.7

Radhesh Krishnan K radheshkrishnank at
Sat Apr 13 10:33:44 EDT 2013


I would like to report a security bug in pidgin-2.10.7.  Pidgin is using
openSSL library for creating secure connections.

A program using openSSL can perform SSL handshake by invoking the
SSL_connect function. Some cetrificate validation errors are signaled
through , the return values of the SSL_connect, while for the others errors
SSL_connect returns OK but sets internal "verify result"
flags. Application must call ssl_get_verify_result function to check if any
such errors occurred.  *This check is missing in pidgin.* And thus a *
man-in-the-middle* attack is possible failing all the SSL protection. (Please
refer <>)

Another way to verify SSL certificate is using the api *SSL_CTX_set_verify*.
The SSL_CTX_set_verify() API allows you to set the verification flags in
the SSL_CTX structure and a callback function for customized verification
as its third argument. (Setting NULL to the callback function means the
built-in default verification function is used.) In the second argument of
SSL_CTX_set_verify(), you can set the following macro
(Refered from <> )


*Server mode:* the server will not send a client certificate request to the
client, so the client will not send a certificate.

*Client mode:* if not using an anonymous cipher (by default disabled), the
server will send a certificate which will be checked. The result of the
certificate verification process can be checked after the TLS/SSL handshake
using the* SSL_get_verify_result* function. The handshake will be continued
regardless of the verification result.

However, In pidgin *SSL_CTX_set_verify()* is used but the second parameter
is *SSL_VERIFY_NONE *and third parameter is* NULL, *Which means we should
 use *SSL_get_verify_result API *to verify the peer certificate. But
API *is not used anywhere in pidgin code base which make the product
vulnerable to *man-in-the-middle attack.*

Radhesh Krishnan K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list