Bug 519224 (CVE-2009-3026)

Summary: CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, mcepl, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-19 15:32:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 522536, 522537, 522538, 522539, 833962    
Bug Blocks:    

Description Vincent Danen 2009-08-25 17:36:09 UTC 
A bug [1] in libpurple has pidgin ignore the "require TLS/SSL" preference setting when connecting to very old jabber servers that do not follow the XMPP spec.  When pidgin connects to this type of jabber server with TLS/SSL required, the encrypted connection fails but a non-encrypted connection will then be established rather than being refused.

This has been fixed upstream with the following commit:

http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

According to the Debian bug report [2], gaim suffers from the same issue but it does not have a "require TLS/SSL" preference setting to enable.

[1] http://developer.pidgin.im/ticket/8131
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
Comment 1 Vincent Danen 2009-08-31 19:57:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3026 to
the following vulnerability:

Name: CVE-2009-3026
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026
Reference: MLIST:[oss-security] 20090824 CVE id request: pidgin
Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/24/2
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
Reference: CONFIRM: http://developer.pidgin.im/ticket/8131
Reference: CONFIRM: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly
other versions, does not follow the "require TLS/SSL" preference when
connecting to older Jabber servers that do not follow the XMPP
specification, which causes libpurple to connect to the server without
the expected encryption and allows remote attackers to sniff sessions.
Comment 3 Warren Togami 2009-09-03 16:27:13 UTC 
Upstream pidgin says this was fixed in 2.6.0, but not backported for the 2.5.9 security release.
Comment 7 errata-xmlrpc 2009-09-21 15:46:19 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1453 https://rhn.redhat.com/errata/RHSA-2009-1453.html