[Fwd: Re: Security Bug in Pidgin-2.10.7]

Radhesh Krishnan K radheshkrishnank at gmail.com
Sat Jun 1 05:24:18 EDT 2013


Hi Tomasz,

Any updates on this. Please let me know.


On Sat, Apr 13, 2013 at 9:28 PM, Ethan Blanton <elb at psg.com> wrote:

> This is a resend, sorry, I typo'd Tomasz's email address.
>
> Ethan
>
>
> ---------- Forwarded message ----------
> From: Ethan Blanton <elb at pidgin.im>
> To: Radhesh Krishnan K <radheshkrishnank at gmail.com>
> Cc: tomasz.wasilczyk.pl at mail.kb8ojh.net, security at pidgin.im
> Date: Sat, 13 Apr 2013 11:55:45 -0400
> Subject: Re: Security Bug in Pidgin-2.10.7
> Radhesh Krishnan K spake unto us the following wisdom:
> > Okay, May be I am wrong. Please help me to understand this.
>
> This is a complex issue, actually.
>
> > FIle I am refering is "*
> > pidgin-2.10.7/libpurple/protocols/gg/lib/events.c:843*"
>
> This file is an imported version of the externally-maintained libgadu
> library.
>
> > Code starting from here.
> >
> > #ifdef GG_CONFIG_HAVE_OPENSSL
>
> We never set this flag.  When linking against an external libgadu, we
> additionally have this check:
>
> #if defined(__GG_LIBGADU_HAVE_OPENSSL) || defined(GG_CONFIG_HAVE_OPENSSL)
> #error "libgadu is not compatible with the GPL when compiled with OpenSSL
> support."
> #endif
>
> This code is dead code in libpurple.  The issue you found may be real,
> however, and should be taken up with the libgadu developers.  I have
> Cc'd our own Tomasz Wasilczyk, who has worked with the libgadu
> developers, and attached your original message.
>
> Ethan
>
>
> ---------- Forwarded message ----------
> From: Radhesh Krishnan K <radheshkrishnank at gmail.com>
> To: security at pidgin.im
> Cc:
> Date: Sat, 13 Apr 2013 20:03:44 +0530
> Subject: Security Bug in Pidgin-2.10.7
> Hi,
>
> I would like to report a security bug in pidgin-2.10.7.  Pidgin is using
> openSSL library for creating secure connections.
>
> A program using openSSL can perform SSL handshake by invoking the
> SSL_connect function. Some cetrificate validation errors are signaled
> through , the return values of the SSL_connect, while for the others errors
> SSL_connect returns OK but sets internal "verify result"
> flags. Application must call ssl_get_verify_result function to check if any
> such errors occurred.  *This check is missing in pidgin.* And thus a *
> man-in-the-middle* attack is possible failing all the SSL protection. (Please
> refer <https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>)
>
> Another way to verify SSL certificate is using the api *SSL_CTX_set_verify
> *.The SSL_CTX_set_verify() API allows you to set the verification flags
> in the SSL_CTX structure and a callback function for customized
> verification as its third argument. (Setting NULL to the callback function
> means the built-in default verification function is used.) In the second
> argument of SSL_CTX_set_verify(), you can set the following macro
> (Refered from <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#> )
>
> 1. SSL_VERIFY_NONE
>
> *Server mode:* the server will not send a client certificate request to
> the client, so the client will not send a certificate.
>
> *Client mode:* if not using an anonymous cipher (by default disabled),
> the server will send a certificate which will be checked. The result of the
> certificate verification process can be checked after the TLS/SSL handshake
> using the* SSL_get_verify_result* function. The handshake will be
> continued regardless of the verification result.
> 2. SSL_VERIFY_PEER
> 3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT
> 4. SSL_VERIFY_CLIENT_ONCE
>
>
> However, In pidgin *SSL_CTX_set_verify()* is used but the second
> parameter is *SSL_VERIFY_NONE *and third parameter is* NULL, *Which means
> we should  use *SSL_get_verify_result API *to verify the peer
> certificate. But *SSL_get_verify_result API *is not used anywhere in
> pidgin code base which make the product vulnerable to *man-in-the-middle
> attack.*
>
>
> --
> Regards,
> Radhesh Krishnan K.
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUWmAAf8fixZ3H8crAQjmXwf/THNv+cogWBQt0l1uCCrjmZ4QQ33HW9tv
> D35NGSo0avmY18l/m39CCvPW0EgtkEdAD4dSHKQM9s2t5aqZ8SFCTfg4uG6LMYS2
> xGE3z8zR0TRORBp26dM6zInbOrJ7sTrZT07rcaDnxP1ILFxff/J9/QkDJV5kqP5P
> VOjJyNetYj5/rveV75YMkSgHHYn8lGRJWKXrK6eZS9RJLOXHmObKiHlXYdxfa3+Z
> Wa3zV4vunwPn73375d6gWc65dw9SGxtjd2dXgtFmAW0zVXTKXvXdTTh1mvqybiMj
> uGqd4ER9w4jv9mRvHNz53TjQ6XHgtMyLBONuLEzXYr1qi53FqMyUiQ==
> =DWEl
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUWmArv8fixZ3H8crAQhjOgf/XpSKTDWbDwdJVHFDNVZ6YK0jUiodUEBF
> HYjTzfb6S3I65cQNKY+bqdJ7Z18jiQYYPDddbEjoat93S85K+RW6PXEJ4LvSsYIG
> sL67LpkJJstiysuehAVRfomGguQze5XIYquaJDbuw6XW9/fgB0ev+P5b3ZqQ4ImJ
> eAQZCOBmTeUCPa3JyHJMPgntWog/IEl7Sqjov8+cRgLLUXOMrLqvo6Pm98sxV7J4
> zbqOkAlg7Fr5pPBILkJkhIgcY4OBuWkMF3nxoI1rwGzuDvzvZ5H++4aWFlWmLvq2
> Gd3aUSPCaQpoDIO8ZJJoBBEf4oEc78QertIMMZBRU1feVaQq3ik7uA==
> =RA9t
> -----END PGP SIGNATURE-----
>
>


-- 




Regards,
Radhesh Krishnan K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130601/6499d52a/attachment.html>


More information about the security mailing list