[Fwd: Re: Security Bug in Pidgin-2.10.7]
Mark Doliner
mark at kingant.net
Tue Jun 4 02:27:11 EDT 2013
Hi Radhesh. Sorry, we're deplorably slow. We haven't forgotten about
this... we're just really bad at releasing updates in a timely
fashion. I swear I'll try to get to this soon.
On Sat, Jun 1, 2013 at 2:24 AM, Radhesh Krishnan K
<radheshkrishnank at gmail.com> wrote:
> Hi Tomasz,
>
> Any updates on this. Please let me know.
>
>
> On Sat, Apr 13, 2013 at 9:28 PM, Ethan Blanton <elb at psg.com> wrote:
>>
>> This is a resend, sorry, I typo'd Tomasz's email address.
>>
>> Ethan
>>
>>
>> ---------- Forwarded message ----------
>> From: Ethan Blanton <elb at pidgin.im>
>> To: Radhesh Krishnan K <radheshkrishnank at gmail.com>
>> Cc: tomasz.wasilczyk.pl at mail.kb8ojh.net, security at pidgin.im
>> Date: Sat, 13 Apr 2013 11:55:45 -0400
>> Subject: Re: Security Bug in Pidgin-2.10.7
>> Radhesh Krishnan K spake unto us the following wisdom:
>> > Okay, May be I am wrong. Please help me to understand this.
>>
>> This is a complex issue, actually.
>>
>> > FIle I am refering is "*
>> > pidgin-2.10.7/libpurple/protocols/gg/lib/events.c:843*"
>>
>> This file is an imported version of the externally-maintained libgadu
>> library.
>>
>> > Code starting from here.
>> >
>> > #ifdef GG_CONFIG_HAVE_OPENSSL
>>
>> We never set this flag. When linking against an external libgadu, we
>> additionally have this check:
>>
>> #if defined(__GG_LIBGADU_HAVE_OPENSSL) || defined(GG_CONFIG_HAVE_OPENSSL)
>> #error "libgadu is not compatible with the GPL when compiled with OpenSSL
>> support."
>> #endif
>>
>> This code is dead code in libpurple. The issue you found may be real,
>> however, and should be taken up with the libgadu developers. I have
>> Cc'd our own Tomasz Wasilczyk, who has worked with the libgadu
>> developers, and attached your original message.
>>
>> Ethan
>>
>>
>> ---------- Forwarded message ----------
>> From: Radhesh Krishnan K <radheshkrishnank at gmail.com>
>> To: security at pidgin.im
>> Cc:
>> Date: Sat, 13 Apr 2013 20:03:44 +0530
>> Subject: Security Bug in Pidgin-2.10.7
>> Hi,
>>
>> I would like to report a security bug in pidgin-2.10.7. Pidgin is using
>> openSSL library for creating secure connections.
>>
>> A program using openSSL can perform SSL handshake by invoking the
>> SSL_connect function. Some cetrificate validation errors are signaled
>> through , the return values of the SSL_connect, while for the others errors
>> SSL_connect returns OK but sets internal "verify result" flags. Application
>> must call ssl_get_verify_result function to check if any such errors
>> occurred. This check is missing in pidgin. And thus a man-in-the-middle
>> attack is possible failing all the SSL protection. (Please refer)
>>
>> Another way to verify SSL certificate is using the api
>> SSL_CTX_set_verify.The SSL_CTX_set_verify() API allows you to set the
>> verification flags in the SSL_CTX structure and a callback function for
>> customized verification as its third argument. (Setting NULL to the callback
>> function means the built-in default verification function is used.) In the
>> second argument of SSL_CTX_set_verify(), you can set the following macro
>> (Refered from )
>>
>> 1. SSL_VERIFY_NONE
>>
>> Server mode: the server will not send a client certificate request to the
>> client, so the client will not send a certificate.
>>
>> Client mode: if not using an anonymous cipher (by default disabled), the
>> server will send a certificate which will be checked. The result of the
>> certificate verification process can be checked after the TLS/SSL handshake
>> using the SSL_get_verify_result function. The handshake will be continued
>> regardless of the verification result.
>>
>> 2. SSL_VERIFY_PEER
>> 3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT
>> 4. SSL_VERIFY_CLIENT_ONCE
>>
>>
>> However, In pidgin SSL_CTX_set_verify() is used but the second parameter
>> is SSL_VERIFY_NONE and third parameter is NULL, Which means we should use
>> SSL_get_verify_result API to verify the peer certificate. But
>> SSL_get_verify_result API is not used anywhere in pidgin code base which
>> make the product vulnerable to man-in-the-middle attack.
>>
>>
>> --
>> Regards,
>> Radhesh Krishnan K.
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/security
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQEVAwUBUWmAAf8fixZ3H8crAQjmXwf/THNv+cogWBQt0l1uCCrjmZ4QQ33HW9tv
>> D35NGSo0avmY18l/m39CCvPW0EgtkEdAD4dSHKQM9s2t5aqZ8SFCTfg4uG6LMYS2
>> xGE3z8zR0TRORBp26dM6zInbOrJ7sTrZT07rcaDnxP1ILFxff/J9/QkDJV5kqP5P
>> VOjJyNetYj5/rveV75YMkSgHHYn8lGRJWKXrK6eZS9RJLOXHmObKiHlXYdxfa3+Z
>> Wa3zV4vunwPn73375d6gWc65dw9SGxtjd2dXgtFmAW0zVXTKXvXdTTh1mvqybiMj
>> uGqd4ER9w4jv9mRvHNz53TjQ6XHgtMyLBONuLEzXYr1qi53FqMyUiQ==
>> =DWEl
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/security
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQEVAwUBUWmArv8fixZ3H8crAQhjOgf/XpSKTDWbDwdJVHFDNVZ6YK0jUiodUEBF
>> HYjTzfb6S3I65cQNKY+bqdJ7Z18jiQYYPDddbEjoat93S85K+RW6PXEJ4LvSsYIG
>> sL67LpkJJstiysuehAVRfomGguQze5XIYquaJDbuw6XW9/fgB0ev+P5b3ZqQ4ImJ
>> eAQZCOBmTeUCPa3JyHJMPgntWog/IEl7Sqjov8+cRgLLUXOMrLqvo6Pm98sxV7J4
>> zbqOkAlg7Fr5pPBILkJkhIgcY4OBuWkMF3nxoI1rwGzuDvzvZ5H++4aWFlWmLvq2
>> Gd3aUSPCaQpoDIO8ZJJoBBEf4oEc78QertIMMZBRU1feVaQq3ik7uA==
>> =RA9t
>> -----END PGP SIGNATURE-----
>>
>
>
>
> --
>
>
>
>
> Regards,
> Radhesh Krishnan K.
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
More information about the security
mailing list