It was reported that the SSL/TLS plug-ins failed to check that the Basic Constraints extension allowed intermediate certificates to act as Certificate Authorities (CAs). An attacker could use this flaw to create a fake certificate that Pidgin would trust, which could be used for man-in-the-middle attacks.
This is the same situation as described in http://www.thoughtcrime.org/ie-ssl-chain.txt
Name: the Pidgin project
Upstream: Jacob Appelbaum, Moxie Marlinspike
Created attachment 948786 [details]
patch from upstream
Created pidgin tracking bugs for this issue:
Affects: fedora-all [bug 1155838]
pidgin-2.10.10-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.10.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Basic Constraints checking is missing for the certificates in the code for pidgin, so attacker who already has an valid CA-Signed Certificate of any domain can generate a valid CA-Signed certificate and request signature for any other domain. As there are no checks for Basic Constraints it fails to the check if there is an man-in-the-middle attack executed with the help of malicious certificate whenever there is SSL connection intiated with the server.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1854 https://access.redhat.com/errata/RHSA-2017:1854