Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 490238 (CVE-2013-4488) - <net-libs/libgadu-1.12.0: missing ssl certificate validation (CVE-2013-4488)
Summary: <net-libs/libgadu-1.12.0: missing ssl certificate validation (CVE-2013-4488)
Status: RESOLVED FIXED
Alias: CVE-2013-4488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 528240
Blocks:
  Show dependency tree
 
Reported: 2013-11-03 09:20 UTC by Agostino Sarubbo
Modified: 2015-08-15 13:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-03 09:20:42 UTC
From ${URL} :

Libgadu, an open library for communicating using the protocol e-mail, was found to have missing the 
ssl certificate validation. The issue is that libgadu uses openSSL library for creating secure 
connections. A program using openSSL can perform SSL handshake by invoking the SSL_connect 
function. Some cetrificate validation errors are signaled through, the return values of the 
SSL_connect, while for the others errors SSL_connect returns OK but sets internal "verify result" 
flags. Application must call ssl_get_verify_result function to check if any such errors occurred.  
This check seems to be missing in libgadu. And thus a man-in-the-middle attack is possible failing 
all the SSL protection.

Upstream suggested that it was a concious decision as libgadu is reverse-engineered implementation 
of a proprietary protocol, they had no control over the certificates used for SSL connections, so 
they would add a note to the documentation about this.

References:
http://seclists.org/oss-sec/2013/q4/202
https://bugzilla.novell.com/show_bug.cgi?id=848509
http://www.mail-archive.com/libgadu-devel@lists.ziew.org/msg01017.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sean Amoss gentoo-dev Security 2014-12-08 23:25:17 UTC
Maintainers, please call for stabilization if 1.12.0 is ready. Thank you
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 15:58:25 UTC
CVE-2013-4488 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4488):
  libgadu before 1.12.0 does not verify X.509 certificates from SSL servers,
  which allows man-in-the-middle attackers to spoof servers.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-08-15 13:00:02 UTC
This issue was resolved and addressed in
 GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02
by GLSA coordinator Yury German (BlueKnight).