It was reported that the SSL/TLS plug-ins failed to check that the Basic Constraints extension allowed intermediate certificates to act as Certificate Authorities (CAs). An attacker could use this flaw to create a fake certificate that Pidgin would trust, which could be used for man-in-the-middle attacks. This is the same situation as described in http://www.thoughtcrime.org/ie-ssl-chain.txt Acknowledgments: Name: the Pidgin project Upstream: Jacob Appelbaum, Moxie Marlinspike
Created attachment 948786 [details] patch from upstream
Public now: http://www.pidgin.im/news/security/?id=86
Created pidgin tracking bugs for this issue: Affects: fedora-all [bug 1155838]
pidgin-2.10.10-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.10.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Analysis ======== Basic Constraints checking is missing for the certificates in the code for pidgin, so attacker who already has an valid CA-Signed Certificate of any domain can generate a valid CA-Signed certificate and request signature for any other domain. As there are no checks for Basic Constraints it fails to the check if there is an man-in-the-middle attack executed with the help of malicious certificate whenever there is SSL connection intiated with the server.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1854 https://access.redhat.com/errata/RHSA-2017:1854