Your message dated Sun, 03 May 2015 01:41:34 +0200
with message-id <[email protected]>
and subject line Re:  [libpurple0] Please disable fix for CVE-2011-3389 in 
ssl-nss for Sipe protocol plugin
has caused the Debian Bug report #681593,
regarding [libpurple0] Please disable fix for CVE-2011-3389 in ssl-nss for Sipe 
protocol plugin
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
681593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681593
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpurple0
Version: 2.10.6-1
Severity: important
Tags: patch

--- Please enter the report below this line. ---

libnss3 3.13.1 introduced a fix for CVE-2011-3389 [1] :

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
  https://bugzilla.mozilla.org/show_bug.cgi?id=665814
  https://bugzilla.mozilla.org/show_bug.cgi?id=702111

Microsoft OCS/Lync servers seem to be one of the SSL servers that don't support
the 1/n-1 record splitting. This makes pidgin-sipe plugin unusable with pidgin's
default configuration, see bug [2].

Known workaround is to set environment variable NSS_SSL_CBC_RANDOM_IV=0 when
running Pidgin. I propose the attached patch for libpurple ssl-nss plugin that
detects whether Sipe plugin is loaded and sets SSL_CBC_RANDOM_IV option
accordingly at runtime.

With this solution the security fix is not unnecessarily disabled for the 
majority
of Pidgin users, but pidgin-sipe is allowed to work out of the box, without a 
need
to modify environment variables.

The patch will allow to close RC bugs filled against pidgin-sipe package, so I
would appreciate if it could be included in Wheezy release.

The fix must be done in libpurple because protocol plugins don't have access to
the underlying SSL library.

Regards,

Jakub

[1] http://security-tracker.debian.org/tracker/CVE-2011-3389
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649456

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
  500 unstable        ftp.cz.debian.org
  500 testing         security.debian.org
  500 testing         ftp.cz.debian.org
  500 stable          ftp.cz.debian.org
  500 stable          emdebian.org
    1 experimental    ftp.cz.debian.org

--- Package information. ---
Depends                                     (Version) | Installed
=====================================================-+-==================
pidgin-data                               (>= 2.10.6) | 2.10.6-1
pidgin-data                             (<< 2.10.6-z) | 2.10.6-1
libavahi-client3                          (>= 0.6.16) | 0.6.31-1
libavahi-common3                          (>= 0.6.16) | 0.6.31-1
libavahi-glib1                            (>= 0.6.16) | 0.6.31-1
libc6                                        (>= 2.7) | 2.13-33
libdbus-1-3                                (>= 1.0.2) | 1.6.0-1
libdbus-glib-1-2                            (>= 0.78) | 0.100-1
libfarstream-0.1-0                         (>= 0.1.1) | 0.1.2-1
libglib2.0-0                              (>= 2.30.0) | 2.32.3-1
libgstreamer-plugins-base0.10-0           (>= 0.10.0) | 0.10.36-1
libgstreamer0.10-0                       (>= 0.10.20) | 0.10.36-1
libidn11                                    (>= 1.13) | 1.25-2
libmeanwhile1                              (>= 1.0.2) | 1.0.2-4
libnspr4                               (>= 2:4.9-2~)  | 2:4.9.1-1
 OR libnspr4-0d                         (>= 1.8.0.10) | 2:4.9.1-1
libnss3                             (>= 2:3.13.4-2~)  | 2:3.13.5-1
 OR libnss3-1d                      (>= 3.12.0~1.9b1) | 2:3.13.5-1
libperl5.14                               (>= 5.14.2) | 5.14.2-12
libsasl2-2                                (>= 2.1.24) | 2.1.25.dfsg1-4+b1
libxml2                                    (>= 2.7.4) | 2.8.0+dfsg1-4
libzephyr4                                            | 3.0.2-2
perl-base                              (>= 5.14.2-12) | 5.14.2-12
perlapi-5.14.2                                        |
libsasl2-modules                                      | 2.1.25.dfsg1-4+b1


Recommends           (Version) | Installed
==============================-+-===========
ca-certificates                | 20120623
libpurple-bin                  |


Suggests      (Version) | Installed
=======================-+-===========
tcl8.5       (>= 8.5.0) | 8.5.11-2
tk8.5        (>= 8.5.0) | 8.5.11-2




>From bad502914a6f8b72f6a3ad3d79cc21fde3942136 Mon Sep 17 00:00:00 2001
From: Jakub Adam <[email protected]>
Date: Sat, 14 Jul 2012 16:16:09 +0200
Subject: [PATCH] Disable 1/n-1 record splitting if Sipe plugin is loaded

---
 libpurple/plugins/ssl/ssl-nss.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
index 6ed90db..1a6ebfd 100644
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -386,6 +386,7 @@ ssl_nss_connect(PurpleSslConnection *gsc)
 {
 	PurpleSslNssData *nss_data = g_new0(PurpleSslNssData, 1);
 	PRSocketOptionData socket_opt;
+	GList *purple_plugins = purple_plugins_get_protocols();
 
 	gsc->private_data = nss_data;
 
@@ -429,6 +430,19 @@ ssl_nss_connect(PurpleSslConnection *gsc)
 	SSL_OptionSet(nss_data->in, SSL_SECURITY,            PR_TRUE);
 	SSL_OptionSet(nss_data->in, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
 
+	/* Disable 1/n-1 record splitting if Sipe plugin is loaded, Microsoft
+	 * OCS and Lync servers break connection with this setting on.
+	 *
+	 * Unfortunately it can't be detected here whether this particular
+	 * PurpleSslConnection belongs to Sipe account, so setting is done for all
+	 * or for none. */
+	for (; purple_plugins; purple_plugins = purple_plugins->next) {
+		PurplePlugin *plugin = (PurplePlugin *)purple_plugins->data;
+		if (!strcmp(plugin->info->id, "prpl-sipe")) {
+			SSL_OptionSet(nss_data->in, SSL_CBC_RANDOM_IV, PR_FALSE);
+		}
+	}
+
 	SSL_AuthCertificateHook(nss_data->in,
 							(SSLAuthCertificate)ssl_auth_cert,
 							(void *)CERT_GetDefaultCertDB());
-- 
1.7.10.4


--- End Message ---
--- Begin Message ---
The apparently blocked by this bug is already fixed. Therefore I close
this bug.

--- End Message ---

Reply via email to