Request for CVEs for Pidgin

Tomas Hoger thoger at redhat.com
Fri Oct 17 11:11:28 EDT 2014


On Tue, 14 Oct 2014 00:16:17 -0700 Mark Doliner wrote:

> 1. Insufficient SSL certificate validation. Discovered by an anonymous
> person and Jacob Appelbaum of the Tor Project.
> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
> for NSS) failed to check that the Basic Constraints extension allowed
> intermediate certificates to act as CAs. This allowed anyone with any
> valid certificate to create a fake certificate for any arbitrary
> domain and Pidgin would trust it.

Out of curiosity, why do this problem exist in the Pidgin code?  Does
it re-implement certificate checks rather than using implementations in
NSS or GnuTLS?  This is something that SSL libs should implement, and
they should not do these mistake these days.

-- 
Tomas Hoger / Red Hat Product Security


More information about the security mailing list