Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 526502 (CVE-2014-3694) - <net-im/pidgin-2.10.10: MITM (CVE-2014-3694)
Summary: <net-im/pidgin-2.10.10: MITM (CVE-2014-3694)
Status: RESOLVED FIXED
Alias: CVE-2014-3694
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
: 526546 (view as bug list)
Depends on: 526644
Blocks:
  Show dependency tree
 
Reported: 2014-10-22 19:05 UTC by Manuel Rüger (RETIRED)
Modified: 2014-12-31 14:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2014-10-22 19:05:35 UTC 
Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694) 

See https://developer.pidgin.im/wiki/ChangeLog
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-10-22 20:41:42 UTC 
+*pidgin-2.10.10 (22 Oct 2014)
+
+  22 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> pidgin-2.10.9.ebuild,
+  pidgin-2.10.9-r1.ebuild, +pidgin-2.10.10.ebuild:
+  Security bump (bug #526502). Fixes CVE-2014-3694. Adjusted perl dep in all
+  ebuilds.
+

Arches please test and mark stable =net-im/pidgin-2.10.10 with target KEYWORDS:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-freebsd ~amd64-linux ~x86-linux ~x86-macos
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-23 09:23:27 UTC 
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-23 10:21:16 UTC 
*** Bug 526546 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-27 14:17:03 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-27 14:18:22 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-29 12:03:10 UTC 
sparc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-29 15:02:43 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2014-10-30 18:53:47 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-11-02 09:43:05 UTC 
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-11-10 13:45:42 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-10 13:52:47 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-28 10:47:34 UTC 
+  28 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.9-r1.ebuild,
+  -files/pidgin-2.10.9-python3_fix1.patch,
+  -files/pidgin-2.10.9-python3_fix2.patch:
+  Removed vulnerable versions.
+
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-28 11:20:34 UTC 
GLSA vote: no.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-31 14:49:28 UTC 
CVE-2014-3694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3694):
  The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS
  plugin in libpurple in Pidgin before 2.10.10 do not properly consider the
  Basic Constraints extension during verification of X.509 certificates from
  SSL servers, which allows man-in-the-middle attackers to spoof servers and
  obtain sensitive information via a crafted certificate.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-12-31 14:52:05 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No