Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates, without warning

Sat, 02 Aug 2008 20:55:45 -0700 

tags 492434 patch
thanks


Miron Cuperman <[EMAIL PROTECTED]> wrote:
> I believe this bug was introduced with the "fix" for bug #401567.
>
> At that time, the SSL implementation was changed from GNUTLS to NSS.   
> Unfortunately, the NSS plugin in pidgin does no certificate checking at  
> all, meaning that any certificate is accepted (including malformed or  
> self-signed ones).
>
> I recommend switching back to gnutls.  Patch attached.  The attached  
> patch also corrects a problem in reading the certificate store from  
> /etc/ssl/certs .  (note that this patch is cumulative to  
> 00_debian-ca-certs.patch .)
>
> Unfortunately, it is now the case that any passwords transmitted over an  
> NSS created link could have been compromised by man-in-the-middle  
> attacks, since many people use the PLAIN auth mechanism.  Any valuable  
> passwords compromised in this way should be changed.
>
> --
> Miron
>

> diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules
> --- pidgin-2.4.1/debian/rules 2008-08-02 19:04:58.000000000 -0700
> +++ pidgin-2.4.1-gnutls/debian/rules  2008-08-02 18:43:49.000000000 -0700
> @@ -20,7 +20,7 @@
>  LDFLAGS = -Wl,--as-needed
>  CFLAGS = -fstack-protector
>  
> -DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus 
> --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm 
> --disable-silc
> +DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus 
> --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm 
> --disable-silc
>  DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin
>  DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so 
> -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so 
> -dDepends
>  
> diff -ur pidgin-2.4.1/libpurple/certificate.c 
> pidgin-2.4.1-gnutls/libpurple/certificate.c
> --- pidgin-2.4.1/libpurple/certificate.c      2008-08-02 19:07:10.000000000 
> -0700
> +++ pidgin-2.4.1-gnutls/libpurple/certificate.c       2008-08-02 
> 18:56:25.000000000 -0700
> @@ -745,7 +745,7 @@
>               x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
>                                                  "ca-certs", NULL));
>  #else
> -             x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
> +             x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
>                                                  "ssl", "certs", NULL));
>  #endif
>       }


-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to