Bug 519224 – CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 519224 - (CVE-2009-3026) CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers

Summary:	CVE-2009-3026 pidgin: ignores SSL/TLS requirements with old jabber servers

Status:	CLOSED ERRATA

Aliases:	CVE-2009-3026

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,source=debian,reported=200...
Keywords:	Security

Depends On:	522536 522537 522538 522539 833962
Blocks:
	Show dependency tree / graph

Reported:	2009-08-25 13:36 EDT by Vincent Danen
Modified:	2012-06-20 10:31 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-11-19 10:32:31 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1453	normal	SHIPPED_LIVE	Moderate: pidgin security update	2009-09-21 11:46:05 EDT

Groups: None (edit)

Description Vincent Danen 2009-08-25 13:36:09 EDT

A bug [1] in libpurple has pidgin ignore the "require TLS/SSL" preference setting when connecting to very old jabber servers that do not follow the XMPP spec.  When pidgin connects to this type of jabber server with TLS/SSL required, the encrypted connection fails but a non-encrypted connection will then be established rather than being refused.

This has been fixed upstream with the following commit:

http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

According to the Debian bug report [2], gaim suffers from the same issue but it does not have a "require TLS/SSL" preference setting to enable.

[1] http://developer.pidgin.im/ticket/8131
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891

Comment 1 Vincent Danen 2009-08-31 15:57:25 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3026 to
the following vulnerability:

Name: CVE-2009-3026
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026
Reference: MLIST:[oss-security] 20090824 CVE id request: pidgin
Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/24/2
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
Reference: CONFIRM: http://developer.pidgin.im/ticket/8131
Reference: CONFIRM: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly
other versions, does not follow the "require TLS/SSL" preference when
connecting to older Jabber servers that do not follow the XMPP
specification, which causes libpurple to connect to the server without
the expected encryption and allows remote attackers to sniff sessions.

Comment 3 Warren Togami 2009-09-03 12:27:13 EDT

Upstream pidgin says this was fixed in 2.6.0, but not backported for the 2.5.9 security release.

Comment 7 errata-xmlrpc 2009-09-21 11:46:19 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1453 https://rhn.redhat.com/errata/RHSA-2009-1453.html

Note You need to log in before you can comment on or make changes to this bug.