Your message dated Sun, 23 Aug 2009 14:02:49 +0000
with message-id <[email protected]>
and subject line Bug#533052: fixed in pidgin 2.4.3-4lenny3
has caused the Debian Bug report #533052,
regarding pidgin crashes when XMPP server SSL cert is self-signed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
533052: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pidgin
Version: 2.4.3-4lenny2
Severity: important
See upstream bug http://developer.pidgin.im/ticket/7013
there's a patch there, too.
Note that this is *NOT* the problem related to libxml which
has been reported oh so many times already. That is unrelated
and was tracked by upstream in http://developer.pidgin.im/ticket/8830
Rather, it's a problem with 25_ssl-nss.patch which was
applied in this change:
-- Ari Pollak <[email protected]> Tue, 24 Sep 2008 20:48:03 -0400
pidgin (2.4.3-2) unstable; urgency=low
* Apply patch from Miron Cuperman to fix path to CA certificates in
00_debian-ca-certs.path
* debian/patches/25_ssl-nss.patch:
- Apply patch from upstream to add SSL certificate checking to the NSS
plugin, which we use (CVE-2008-3532) (Closes: #492434)
I got that exact same trace as in the upstream bug report on Lenny
when trying to connect to an XMPP server using a self-signed SSL certificate,
ending in strcmp() called by x509_signed_by() in the ssl-nss code.
Dropping the upstream patch which I quote below into
debian/patches/33_ssl-nss-self-signed-crash.patch
and rebuilding the package and reinstalling piding
and libpurple from the resulting packages fixed the problem for me.
#
#
# patch "libpurple/plugins/ssl/ssl-nss.c"
# from [c6c576ba92370703e89850d8e6dc88b7fec3e523]
# to [d6de7a59c8b1c42086fd8e7153865718fc3289e6]
#
============================================================
--- libpurple/plugins/ssl/ssl-nss.c c6c576ba92370703e89850d8e6dc88b7fec3e523
+++ libpurple/plugins/ssl/ssl-nss.c d6de7a59c8b1c42086fd8e7153865718fc3289e6
@@ -285,7 +285,8 @@ ssl_nss_get_peer_certificates(PRFileDesc
}
for (count = 0 ; count < CERT_MAX_CERT_CHAIN ; count++) {
- purple_debug_info("nss", "subject=%s issuer=%s\n",
curcert->subjectName, curcert->issuerName);
+ purple_debug_info("nss", "subject=%s issuer=%s\n",
curcert->subjectName,
+ curcert->issuerName ?
curcert->issuerName : "(null)");
newcrt = x509_import_from_nss(curcert);
peer_certs = g_list_append(peer_certs, newcrt);
@@ -676,7 +677,8 @@ x509_signed_by(PurpleCertificate * crt,
subjectCert = X509_NSS_DATA(crt);
g_return_val_if_fail(subjectCert, FALSE);
- if ( PORT_Strcmp(subjectCert->issuerName, issuerCert->subjectName) != 0
)
+ if (subjectCert->issuerName == NULL
+ || PORT_Strcmp(subjectCert->issuerName,
issuerCert->subjectName) != 0)
return FALSE;
st = CERT_VerifySignedData(&subjectCert->signatureWrap, issuerCert,
PR_Now(), NULL);
return st == SECSuccess;
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages pidgin depends on:
ii gconf2 2.22.0-1 GNOME configuration database syste
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcairo2 1.6.4-7 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.1-5 simple interprocess messaging syst
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libglib2.0-0 2.16.6-1+lenny1 The GLib library of C routines
ii libgstreamer0.10-0 0.10.19-3 Core GStreamer libraries and eleme
ii libgtk2.0-0 2.12.12-1~lenny1 The GTK+ graphical user interface
ii libgtkspell0 2.0.13-1+b1 a spell-checking addon for GTK's T
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libpango1.0-0 1.20.5-3+lenny1 Layout and rendering of internatio
ii libpurple0 2.4.3-4lenny2 multi-protocol instant messaging l
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libstartup-notification 0.9-1 library for program launch feedbac
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxss1 1:1.1.3-1 X11 Screen Saver extension library
ii perl 5.10.0-19 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.10 5.10.0-19 minimal Perl system
ii pidgin-data 2.4.3-4lenny2 multi-protocol instant messaging c
Versions of packages pidgin recommends:
ii gstreamer0.10-plugins- 0.10.19-2 GStreamer plugins from the "base"
ii gstreamer0.10-plugins- 0.10.8-4.1~lenny1 GStreamer plugins from the "good"
Versions of packages pidgin suggests:
ii evolution-data-server 2.22.3-1.1+lenny1 evolution database backend server
ii gnome-panel 2.20.3-5 launcher and docking facility for
ii libsqlite3-0 3.5.9-6 SQLite 3 shared library
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: pidgin
Source-Version: 2.4.3-4lenny3
We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:
finch-dev_2.4.3-4lenny3_all.deb
to pool/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb
finch_2.4.3-4lenny3_amd64.deb
to pool/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb
libpurple-bin_2.4.3-4lenny3_all.deb
to pool/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb
libpurple-dev_2.4.3-4lenny3_all.deb
to pool/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb
libpurple0_2.4.3-4lenny3_amd64.deb
to pool/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb
pidgin-data_2.4.3-4lenny3_all.deb
to pool/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb
pidgin-dbg_2.4.3-4lenny3_amd64.deb
to pool/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb
pidgin-dev_2.4.3-4lenny3_all.deb
to pool/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb
pidgin_2.4.3-4lenny3.diff.gz
to pool/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz
pidgin_2.4.3-4lenny3.dsc
to pool/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc
pidgin_2.4.3-4lenny3_amd64.deb
to pool/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <[email protected]> (supplier of updated pidgin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Fri, 14 Aug 2009 20:54:11 -0400
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev
libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.4.3-4lenny3
Distribution: stable-security
Urgency: low
Maintainer: Ari Pollak <[email protected]>
Changed-By: Ari Pollak <[email protected]>
Description:
finch - text-based multi-protocol instant messaging client
finch-dev - text-based multi-protocol instant messaging client - development
libpurple-bin - multi-protocol instant messaging library - extra utilities
libpurple-dev - multi-protocol instant messaging library - development files
libpurple0 - multi-protocol instant messaging library
pidgin - graphical multi-protocol instant messaging client for X
pidgin-data - multi-protocol instant messaging client - data files
pidgin-dbg - Debugging symbols for Pidgin
pidgin-dev - multi-protocol instant messaging client - development files
Closes: 533052
Changes:
pidgin (2.4.3-4lenny3) stable-security; urgency=low
.
* debian/patches/33_ssl-nss-self-signed-crash.patch:
- fix a regression caused by 25_ssl-nss.patch and causes a crash when
trying to connect to an XMPP server with a self-signed SSL certificate.
(Closes: #533052)
* debian/patches/34_CVE-2009-2694.patch:
- fix a buffer overflow in MSN (CVE-2009-2694)
Checksums-Sha1:
cf83e18c2cd334e8dd0cfaa98baefa131ea234d6 1784 pidgin_2.4.3-4lenny3.dsc
369d6e873e6d1242f8d9b467cab8bcffe1c8887f 67928 pidgin_2.4.3-4lenny3.diff.gz
f7d0cced97a34b735e53fd9f32ee80373d713556 7018488
pidgin-data_2.4.3-4lenny3_all.deb
96fe34bd247775c6e6a46173d7f40a31a2a76c73 354146
pidgin-dev_2.4.3-4lenny3_all.deb
2abe5330eeff922fff95647a605efc7910c9457a 159388 finch-dev_2.4.3-4lenny3_all.deb
4eb00bb832794884c620e1f97031676d504c4453 276890
libpurple-dev_2.4.3-4lenny3_all.deb
21c222d7687fa9c46b97429813376b7334f54db4 133552
libpurple-bin_2.4.3-4lenny3_all.deb
e0b8a56f8c33ec5e36cdcbd9e3ed6abf6688e244 1706142
libpurple0_2.4.3-4lenny3_amd64.deb
12a729ad13acc3cdb2b287435860c8d7539f56d6 722220 pidgin_2.4.3-4lenny3_amd64.deb
e350f655b171049458fb9ccc3b9874acd2e575ee 5668550
pidgin-dbg_2.4.3-4lenny3_amd64.deb
5986d2371e38b2116f38fba692e575a5c87e3ba8 345894 finch_2.4.3-4lenny3_amd64.deb
Checksums-Sha256:
04e5f4aeeab52e3f9625f36ed715ebfdd52c3f828fc529b6f42877abf580683d 1784
pidgin_2.4.3-4lenny3.dsc
d2d19922918fe532f7e0036bf3746a124f202522d605af4ec126a69011ac8ca8 67928
pidgin_2.4.3-4lenny3.diff.gz
dc506d7e7857e20564dc12cabcd13389a3ad1840aeb8deae33fef97ad86dee4f 7018488
pidgin-data_2.4.3-4lenny3_all.deb
f2aa8a6e7d1228af6381995b6df3da8b46d7df220e7e2921584eca20ff862831 354146
pidgin-dev_2.4.3-4lenny3_all.deb
22ba13165506da6ca4548028cd6e410051e8015e710bda3d7f47240370260b86 159388
finch-dev_2.4.3-4lenny3_all.deb
aebf58b89269d721c248363738ff3d434eeaae2cb400de97b17ec66f70470297 276890
libpurple-dev_2.4.3-4lenny3_all.deb
b941a75ea261f054d7d2fea540c3d3dd25b6997cfc8532ac85b7e3433c10e709 133552
libpurple-bin_2.4.3-4lenny3_all.deb
f7e27637fa861cd6e0ffabb1b21ae1224408a55fd84f0c21353856a5a636a355 1706142
libpurple0_2.4.3-4lenny3_amd64.deb
9a2f50f606f548ca2bdd0aad883766559d3055fabbba5a7fa2d8f973e4ba7a08 722220
pidgin_2.4.3-4lenny3_amd64.deb
387cb166055f9aeea99dc55cf34ee0817f7f49d2b0567523a1bc4ffadbb2e8b4 5668550
pidgin-dbg_2.4.3-4lenny3_amd64.deb
47de9f50b040b81c519ba41f01e39a481bbb6e3103a294aa9615b8f9e92c70b7 345894
finch_2.4.3-4lenny3_amd64.deb
Files:
e9bc246ba4f0ca8dab1436d66bd00adb 1784 net optional pidgin_2.4.3-4lenny3.dsc
545981a43e8c1b905ea1adb0da9b1b4d 67928 net optional
pidgin_2.4.3-4lenny3.diff.gz
09b2f817c71774e2108b4366602f5dcf 7018488 net optional
pidgin-data_2.4.3-4lenny3_all.deb
291a984ea00f92d67a3d0b99040d7d72 354146 devel optional
pidgin-dev_2.4.3-4lenny3_all.deb
f73823fb36f1d0487cc29d0d71a7a471 159388 devel optional
finch-dev_2.4.3-4lenny3_all.deb
dab9b30c46f9a2c03af02d381cb029cf 276890 libdevel optional
libpurple-dev_2.4.3-4lenny3_all.deb
d4adb0ff7da09da14d34f3ae9484ea94 133552 net optional
libpurple-bin_2.4.3-4lenny3_all.deb
2f1f823ff5c26eb1cc67874633a6891d 1706142 net optional
libpurple0_2.4.3-4lenny3_amd64.deb
e249e5fb7581ec28a0f4e0a32fab3d2c 722220 net optional
pidgin_2.4.3-4lenny3_amd64.deb
58b27242ababd545a49b080527cd8769 5668550 net extra
pidgin-dbg_2.4.3-4lenny3_amd64.deb
4b31436a96b5834d8ebe3639b837093d 345894 net optional
finch_2.4.3-4lenny3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAkqK27UACgkQwO+u47cOQDuRNQCeO4Gj2N0FWgvVDd3FdZ760mi1
HJEAn06i9stYEh5OxlElq7+uwGz6XeIW
=rY4+
-----END PGP SIGNATURE-----
--- End Message ---
