Security Bug due to Unchecked use of GnuTLS function
Yuan Jochen Kang
yjk2106 at columbia.edu
Sun Apr 10 19:20:32 EDT 2016
Dear Pidgin developers,
We are security researchers at Columbia University and the University of
Virginia. As part of a research project, we have built a tool for
automatically finding error handling bugs and are testing it on various
cryptographic libraries and applications that use them.
We discovered that failures of gnutls_x509_crt_init are sometimes ignored,
which could make the resulting certificate invalid.
Please let us know how you intend to address the following issue:
libpurple/plugins/ssl/ssl-gnutls.c, line 688:
static PurpleCertificate *
x509_import_from_datum(const gnutls_datum_t dt, gnutls_x509_crt_fmt_t mode)
{
...
gnutls_x509_crt_init(&(certdat->crt));
...
}
Thank you,
Yuan Kang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160410/8c01734a/attachment.html>
More information about the security
mailing list