Bug 1154908 (CVE-2014-3694)

Summary: CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cschalle, debarshir, itamar, jrusnack, jskarvad, jsynacek, mbarnes, security-response-team, sisharma, stu, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pidgin 2.10.10 Doc Type: Bug Fix
Doc Text:
It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:35:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1155838, 1340770, 1403136, 1446519    
Bug Blocks: 1154913, 1415638    
Attachments:
Description Flags
patch from upstream none

Description Murray McAllister 2014-10-21 03:16:13 UTC 
It was reported that the SSL/TLS plug-ins failed to check that the Basic Constraints extension allowed intermediate certificates to act as Certificate Authorities (CAs). An attacker could use this flaw to create a fake certificate that Pidgin would trust, which could be used for man-in-the-middle attacks.

This is the same situation as described in http://www.thoughtcrime.org/ie-ssl-chain.txt

Acknowledgments:

Name: the Pidgin project
Upstream: Jacob Appelbaum, Moxie Marlinspike
Comment 1 Murray McAllister 2014-10-21 03:17:13 UTC 
Created attachment 948786 [details]
patch from upstream
Comment 3 Murray McAllister 2014-10-23 01:21:43 UTC 
Public now:

http://www.pidgin.im/news/security/?id=86
Comment 4 Murray McAllister 2014-10-23 01:26:43 UTC 
Created pidgin tracking bugs for this issue:

Affects: fedora-all [bug 1155838]
Comment 5 Fedora Update System 2014-11-10 06:31:35 UTC 
pidgin-2.10.10-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-11-10 06:47:35 UTC 
pidgin-2.10.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Siddharth Sharma 2014-12-02 09:58:13 UTC 
Analysis
========

Basic Constraints checking is missing for the certificates in the code for pidgin, so attacker who already has an valid CA-Signed Certificate of any domain can generate a valid CA-Signed certificate and request signature for any other domain. As there are no checks for Basic Constraints it fails to the check if there is an man-in-the-middle attack executed with the help of malicious certificate whenever there is SSL connection intiated with the server.
Comment 13 errata-xmlrpc 2017-08-01 20:20:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1854 https://access.redhat.com/errata/RHSA-2017:1854