Pidgin XMPP TLS/SSL Man in the Middle attack

Bug #251304 reported by TC on 2008-07-23
284
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pidgin
Fix Released
Unknown
pidgin (Debian)
Fix Released
Unknown
pidgin (Ubuntu)
Undecided
Unassigned
Nominated for Hardy by Miron Cuperman

Bug Description

Binary package hint: pidgin

It looks like this bug was reported in Launchpad some time ago, but for the wrong package. I'd love to see it fixed. Here's the original text:

As per http://developer.pidgin.im/ticket/3381 the Pidgin IM client does not properly implement SSL and TLS, particularly components dealing with feedback to the end user.

The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the-middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text.

No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in

Changed in pidgin:
status: Unknown → Confirmed
Miron Cuperman (devrandom) wrote :

See also http://developer.pidgin.im/ticket/6500 which includes a patch.

Kees Cook (kees) wrote :

Has a CVE been assigned for this design failure? I haven't been able to find one yet.

Changed in pidgin:
status: New → Confirmed
Miron Cuperman (devrandom) wrote :

I don't think so. I would have done it, but not certain of the procedure.

Ah-ha, it appears the request is pending. I found the thread on the
oss-security mailing list.

Till Ulen (tillulen) wrote :

On Fri, Aug 8, 2008 at 02:11, Steven M. Christey <coley at linus mitre org> wrote:
>
> On Tue, 5 Aug 2008, Josh Bressers wrote:
>
>> http://developer.pidgin.im/ticket/6500
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
>
> Use CVE-2008-3532, to be updated later.
>
> - Steve

Changed in pidgin:
status: Confirmed → Fix Released
Changed in pidgin:
status: Unknown → Fix Released
dave b. (d+b) wrote :

Has the fix been included into pidgin on ubuntu ?
This is a security risk and should be fixed at some point.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3

---------------
pidgin (1:2.2.1-1ubuntu4.3) gutsy-security; urgency=low

  * SECURITY UPDATE: code execution via integer overflow in the MSN protocol
    handler (LP: #245770)
    - debian/patches/99_SECURITY_CVE-2008-2927.patch: fix
      msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking
      against maximum size G_MAXSIZE.
    - CVE-2008-2927
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2955.patch: change
      src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
      exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
    URL in UPnP functionality (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2957.patch: modified
      libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
      order to limit http downloads to 128k.
    - CVE-2008-2957
  * SECURITY UPDATE: man in the middle attack from lack of certificate
    validation in nss plugin (LP: #251304)
    - debian/patches/99_SECURITY_CVE-2008-3532.patch: modified
      libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
    - CVE-2008-3532

 -- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500

Changed in pidgin:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.