Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 467934 (CVE-2007-6746)

Summary: <net-irc/telepathy-idle-0.1.16 : does not properly validate SSL certificates (CVE-2007-6746)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome, net-im
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=956334
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-04-29 22:21:21 UTC 
From ${URL} :

It was reported [1],[2] that telepathy-idle, an IRC backend for the Telepathy framework, did not 
check the server's SSL/TLS certificate for validity [3].  This could allow an attacker to carry out 
man-in-the-middle attacks.

This flaw has existed in the source since 2007, and versions 0.1.11 through to 0.1.14 use GLib for 
TLS, so they did very basic checks on certificates, but did not check that the certificate issuer 
was a trusted CA, that the identity matched the server's hostname, or that the certificate had not 
expired.

The forthcoming 0.1.15 release will fix this flaw; a patch is attached to the upstream bug [4].


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706094
[2] http://www.openwall.com/lists/oss-security/2013/04/24/5
[3] https://bugs.freedesktop.org/show_bug.cgi?id=63810
[4] https://bugs.freedesktop.org/attachment.cgi?id=78341


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Pacho Ramos gentoo-dev 2013-05-01 09:06:48 UTC 
0.1.15 is already in the tree, feel free to stabilize it
Comment 2 Pacho Ramos gentoo-dev 2013-05-01 17:31:44 UTC 
(In reply to comment #1)
> 0.1.15 is already in the tree, feel free to stabilize it

0.1.16 is a better candidate as fixes a regression previous fix of security bug had
Comment 3 Agostino Sarubbo gentoo-dev 2013-05-02 12:03:45 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-05-02 12:04:16 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-05-03 13:32:17 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-05-05 14:12:16 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-05-05 17:34:26 UTC 
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-05-07 13:38:42 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-05-07 13:55:10 UTC 
sparc stable
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 23:19:56 UTC 
GLSA vote: no. @maintainers: please clean up affected versions.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 23:20:03 UTC 
CVE-2007-6746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6746):
  telepathy-idle before 0.1.15 does not verify (1) that the issuer is a
  trusted CA, (2) that the server hostname matches a domain name in the
  subject's Common Name (CN), or (3) the expiration date of the X.509
  certificate, which allows man-in-the-middle attackers to spoof SSL servers
  via an arbitrary valid certificate.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2013-08-28 23:24:03 UTC 
NO too.
Comment 13 Pacho Ramos gentoo-dev 2013-08-29 08:12:16 UTC 
+  29 Aug 2013; Pacho Ramos <pacho@gentoo.org> -telepathy-idle-0.1.14.ebuild,
+  -telepathy-idle-0.1.15.ebuild:
+  Drop old
+