Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 234135 (CVE-2008-3532)

Summary: net-im/pidgin < 2.5.1 Failure to verify SSL certificate (CVE-2008-3532)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: amigadave, dhp_gentoo, net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/31390/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 22:26:10 UTC 
Secunia writes:
A security issue has been reported in Pidgin, which can be exploited
by malicious people to conduct spoofing attacks.

The problem is that the certificate presented by e.g. a Jabber server
at the beginning of an SSL session is not verified. This can be
exploited to spoof valid servers via a man-in-the-middle attack.

Successful exploitation requires that Pidgin is configured to use the
NSS plugin.

The security issue is reported in version 2.4.3. Other versions may
also be affected.

SOLUTION:
Do not rely on the application's SSL certificate verification.

PROVIDED AND/OR DISCOVERED BY:
Reported by Josh Triplett in a Debian bug report.

ORIGINAL ADVISORY:
http://developer.pidgin.im/ticket/6500

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
Comment 1 David King 2008-08-20 14:55:35 UTC 
This issue is fixed in 2.5.0, which is in the portage tree but currently marked unstable.
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2008-08-20 16:32:24 UTC 
The ebuild is in. I'm a bit shy about rushing this to stable because its not a great threat and there is a whole new MSN implementation in that version and I'm not sure how good it is.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-20 20:22:21 UTC 
We could argue about the impact of failure to verify certificates, especially when people rely on it. Let's give it the rest of this week in ~arch to test, and we will CC arches on Aug. 24.
Please mark any bugs that come up as blockers of this bug.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-05 21:32:28 UTC 
Arches, please test and mark stable net-im/pidgin-2.5.1. Target Keywords: "alpha amd64 hppa ia64 ppc ~ppc64 sparc x86 ~x86-fbsd"
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2008-09-05 23:39:57 UTC 
Sparc stable for pidgin-2.5.1.
Comment 6 Markus Meier gentoo-dev 2008-09-06 12:39:33 UTC 
amd64/x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-09-06 15:56:45 UTC 
alpha/ia64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-06 21:40:36 UTC 
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-08 03:12:24 UTC 
Stable for HPPA.
Comment 10 DEMAINE Benoît-Pierre, aka DoubleHP 2008-09-10 01:47:39 UTC 
2.5.1 is now in x86 stable and merged to Portage; if all other arch, i think you can close this bug ...
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-11 17:34:40 UTC 
(In reply to comment #10)
> 2.5.1 is now in x86 stable and merged to Portage; if all other arch, i think
> you can close this bug ... 
> 

Thanks for your effort, but ... no, not really. This is a security bug, please see our policy[1].

So, ready for voting. I vote YES.


[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 21:50:27 UTC 
voting yes too, request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-20 22:08:01 UTC 
GLSA 200901-13, sorry for the delay
Comment 14 DEMAINE Benoît-Pierre, aka DoubleHP 2009-01-21 00:49:59 UTC 
2.5.2 stable by now, and 2.5.4 should come in withint 24h (bump request just closed, waiting for tree to sync).