Bug#681593: [libpurple0] Please disable fix for CVE-2011-3389 in ssl-nss for Sipe protocol plugin

Sat, 14 Jul 2012 08:21:14 -0700 

Package: libpurple0
Version: 2.10.6-1
Severity: important
Tags: patch

--- Please enter the report below this line. ---

libnss3 3.13.1 introduced a fix for CVE-2011-3389 [1] :

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
  https://bugzilla.mozilla.org/show_bug.cgi?id=665814
  https://bugzilla.mozilla.org/show_bug.cgi?id=702111

Microsoft OCS/Lync servers seem to be one of the SSL servers that don't support
the 1/n-1 record splitting. This makes pidgin-sipe plugin unusable with pidgin's
default configuration, see bug [2].

Known workaround is to set environment variable NSS_SSL_CBC_RANDOM_IV=0 when
running Pidgin. I propose the attached patch for libpurple ssl-nss plugin that
detects whether Sipe plugin is loaded and sets SSL_CBC_RANDOM_IV option
accordingly at runtime.

With this solution the security fix is not unnecessarily disabled for the 
majority
of Pidgin users, but pidgin-sipe is allowed to work out of the box, without a 
need
to modify environment variables.

The patch will allow to close RC bugs filled against pidgin-sipe package, so I
would appreciate if it could be included in Wheezy release.

The fix must be done in libpurple because protocol plugins don't have access to
the underlying SSL library.

Regards,

Jakub

[1] http://security-tracker.debian.org/tracker/CVE-2011-3389
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649456

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
  500 unstable        ftp.cz.debian.org
  500 testing         security.debian.org
  500 testing         ftp.cz.debian.org
  500 stable          ftp.cz.debian.org
  500 stable          emdebian.org
    1 experimental    ftp.cz.debian.org

--- Package information. ---
Depends                                     (Version) | Installed
=====================================================-+-==================
pidgin-data                               (>= 2.10.6) | 2.10.6-1
pidgin-data                             (<< 2.10.6-z) | 2.10.6-1
libavahi-client3                          (>= 0.6.16) | 0.6.31-1
libavahi-common3                          (>= 0.6.16) | 0.6.31-1
libavahi-glib1                            (>= 0.6.16) | 0.6.31-1
libc6                                        (>= 2.7) | 2.13-33
libdbus-1-3                                (>= 1.0.2) | 1.6.0-1
libdbus-glib-1-2                            (>= 0.78) | 0.100-1
libfarstream-0.1-0                         (>= 0.1.1) | 0.1.2-1
libglib2.0-0                              (>= 2.30.0) | 2.32.3-1
libgstreamer-plugins-base0.10-0           (>= 0.10.0) | 0.10.36-1
libgstreamer0.10-0                       (>= 0.10.20) | 0.10.36-1
libidn11                                    (>= 1.13) | 1.25-2
libmeanwhile1                              (>= 1.0.2) | 1.0.2-4
libnspr4                               (>= 2:4.9-2~)  | 2:4.9.1-1
 OR libnspr4-0d                         (>= 1.8.0.10) | 2:4.9.1-1
libnss3                             (>= 2:3.13.4-2~)  | 2:3.13.5-1
 OR libnss3-1d                      (>= 3.12.0~1.9b1) | 2:3.13.5-1
libperl5.14                               (>= 5.14.2) | 5.14.2-12
libsasl2-2                                (>= 2.1.24) | 2.1.25.dfsg1-4+b1
libxml2                                    (>= 2.7.4) | 2.8.0+dfsg1-4
libzephyr4                                            | 3.0.2-2
perl-base                              (>= 5.14.2-12) | 5.14.2-12
perlapi-5.14.2                                        |
libsasl2-modules                                      | 2.1.25.dfsg1-4+b1


Recommends           (Version) | Installed
==============================-+-===========
ca-certificates                | 20120623
libpurple-bin                  |


Suggests      (Version) | Installed
=======================-+-===========
tcl8.5       (>= 8.5.0) | 8.5.11-2
tk8.5        (>= 8.5.0) | 8.5.11-2





>From bad502914a6f8b72f6a3ad3d79cc21fde3942136 Mon Sep 17 00:00:00 2001
From: Jakub Adam <jakub.a...@ktknet.cz>
Date: Sat, 14 Jul 2012 16:16:09 +0200
Subject: [PATCH] Disable 1/n-1 record splitting if Sipe plugin is loaded

---
 libpurple/plugins/ssl/ssl-nss.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
index 6ed90db..1a6ebfd 100644
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -386,6 +386,7 @@ ssl_nss_connect(PurpleSslConnection *gsc)
 {
 	PurpleSslNssData *nss_data = g_new0(PurpleSslNssData, 1);
 	PRSocketOptionData socket_opt;
+	GList *purple_plugins = purple_plugins_get_protocols();
 
 	gsc->private_data = nss_data;
 
@@ -429,6 +430,19 @@ ssl_nss_connect(PurpleSslConnection *gsc)
 	SSL_OptionSet(nss_data->in, SSL_SECURITY,            PR_TRUE);
 	SSL_OptionSet(nss_data->in, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
 
+	/* Disable 1/n-1 record splitting if Sipe plugin is loaded, Microsoft
+	 * OCS and Lync servers break connection with this setting on.
+	 *
+	 * Unfortunately it can't be detected here whether this particular
+	 * PurpleSslConnection belongs to Sipe account, so setting is done for all
+	 * or for none. */
+	for (; purple_plugins; purple_plugins = purple_plugins->next) {
+		PurplePlugin *plugin = (PurplePlugin *)purple_plugins->data;
+		if (!strcmp(plugin->info->id, "prpl-sipe")) {
+			SSL_OptionSet(nss_data->in, SSL_CBC_RANDOM_IV, PR_FALSE);
+		}
+	}
+
 	SSL_AuthCertificateHook(nss_data->in,
 							(SSLAuthCertificate)ssl_auth_cert,
 							(void *)CERT_GetDefaultCertDB());
-- 
1.7.10.4

Reply via email to