Ubuntu
pidgin package

Pidgin XMPP TLS/SSL Man in the Middle attack

Bug #251304 reported by TC
284
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pidgin
Fix Released
Unknown
pidgin (Debian)
Fix Released
Unknown
pidgin (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Hardy by Miron Cuperman

Bug Description

Binary package hint: pidgin

It looks like this bug was reported in Launchpad some time ago, but for the wrong package. I'd love to see it fixed. Here's the original text:

As per http://developer.pidgin.im/ticket/3381 the Pidgin IM client does not properly implement SSL and TLS, particularly components dealing with feedback to the end user.

The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the-middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text.

No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

See also: http://developer.pidgin.im/ticket/3381

Bug Watch Updater (bug-watch-updater)
Changed in pidgin:
status: Unknown → Confirmed
Revision history for this message
Miron Cuperman (devrandom) wrote :

See also http://developer.pidgin.im/ticket/6500 which includes a patch.

Revision history for this message
Kees Cook (kees) wrote :

Has a CVE been assigned for this design failure? I haven't been able to find one yet.

Changed in pidgin:
status: New → Confirmed
Revision history for this message
Miron Cuperman (devrandom) wrote :

I don't think so. I would have done it, but not certain of the procedure.

Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack

Ah-ha, it appears the request is pending. I found the thread on the
oss-security mailing list.

Revision history for this message
Till Ulen (tillulen) wrote :

On Fri, Aug 8, 2008 at 02:11, Steven M. Christey <coley at linus mitre org> wrote:
>
> On Tue, 5 Aug 2008, Josh Bressers wrote:
>
>> http://developer.pidgin.im/ticket/6500
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
>
> Use CVE-2008-3532, to be updated later.
>
> - Steve

Bug Watch Updater (bug-watch-updater)
Changed in pidgin:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in pidgin:
status: Unknown → Fix Released
Revision history for this message
dave b. (d+b) wrote :

Has the fix been included into pidgin on ubuntu ?
This is a security risk and should be fixed at some point.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3

---------------
pidgin (1:2.2.1-1ubuntu4.3) gutsy-security; urgency=low

  * SECURITY UPDATE: code execution via integer overflow in the MSN protocol
    handler (LP: #245770)
    - debian/patches/99_SECURITY_CVE-2008-2927.patch: fix
      msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking
      against maximum size G_MAXSIZE.
    - CVE-2008-2927
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2955.patch: change
      src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
      exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
    URL in UPnP functionality (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2957.patch: modified
      libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
      order to limit http downloads to 128k.
    - CVE-2008-2957
  * SECURITY UPDATE: man in the middle attack from lack of certificate
    validation in nss plugin (LP: #251304)
    - debian/patches/99_SECURITY_CVE-2008-3532.patch: modified
      libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
    - CVE-2008-3532

 -- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500

Changed in pidgin:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.