Request for CVEs for Pidgin

Daniel Atallah daniel.atallah at gmail.com
Fri Oct 17 12:20:46 EDT 2014


On Fri, Oct 17, 2014 at 11:11 AM, Tomas Hoger <thoger at redhat.com> wrote:

> On Tue, 14 Oct 2014 00:16:17 -0700 Mark Doliner wrote:
>
> > 1. Insufficient SSL certificate validation. Discovered by an anonymous
> > person and Jacob Appelbaum of the Tor Project.
> > Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
> > for NSS) failed to check that the Basic Constraints extension allowed
> > intermediate certificates to act as CAs. This allowed anyone with any
> > valid certificate to create a fake certificate for any arbitrary
> > domain and Pidgin would trust it.
>
> Out of curiosity, why do this problem exist in the Pidgin code?  Does
> it re-implement certificate checks rather than using implementations in
> NSS or GnuTLS?  This is something that SSL libs should implement, and
> they should not do these mistake these days.
>
>

Yes, the cause of problem is that the pidgin code uses internal certificate
validation instead of using the one in the SSL libraries.

In addition to adding the Basic Constraints validation to the internal
validation, we were able to delegate the full validation to NSS with the
2.10.10 release, but were unable to find a way to delegate that to gnutls
without API changes.

We certainly recognize the current behavior is not ideal and will be fully
delegating the validation to the relevant library in the 3.0.0 codebase.

-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141017/f3a9eb1f/attachment.html>


More information about the security mailing list