Bug#533052: pidgin crashes when XMPP server SSL cert is self-signed

Sun, 14 Jun 2009 04:04:51 -0700 

Package: pidgin
Version: 2.4.3-4lenny2
Severity: important


See upstream bug http://developer.pidgin.im/ticket/7013
there's a patch there, too.

Note that this is *NOT* the problem related to libxml which
has been reported oh so many times already. That is unrelated
and was tracked by upstream in http://developer.pidgin.im/ticket/8830

Rather, it's a problem with 25_ssl-nss.patch which was
applied in this change:

 -- Ari Pollak <[email protected]>  Tue, 24 Sep 2008 20:48:03 -0400

pidgin (2.4.3-2) unstable; urgency=low

  * Apply patch from Miron Cuperman to fix path to CA certificates in
    00_debian-ca-certs.path
  * debian/patches/25_ssl-nss.patch:
    - Apply patch from upstream to add SSL certificate checking to the NSS
      plugin, which we use (CVE-2008-3532) (Closes: #492434)

I got that exact same trace as in the upstream bug report on Lenny
when trying to connect to an XMPP server using a self-signed SSL certificate,
ending in strcmp() called by x509_signed_by() in the ssl-nss code.

Dropping the upstream patch which I quote below into
debian/patches/33_ssl-nss-self-signed-crash.patch
and rebuilding the package and reinstalling piding
and libpurple from the resulting packages fixed the problem for me.

#
#
# patch "libpurple/plugins/ssl/ssl-nss.c"
#  from [c6c576ba92370703e89850d8e6dc88b7fec3e523]
#    to [d6de7a59c8b1c42086fd8e7153865718fc3289e6]
#
============================================================
--- libpurple/plugins/ssl/ssl-nss.c     c6c576ba92370703e89850d8e6dc88b7fec3e523
+++ libpurple/plugins/ssl/ssl-nss.c     d6de7a59c8b1c42086fd8e7153865718fc3289e6
@@ -285,7 +285,8 @@ ssl_nss_get_peer_certificates(PRFileDesc
        }
        
        for (count = 0 ; count < CERT_MAX_CERT_CHAIN ; count++) {
-               purple_debug_info("nss", "subject=%s issuer=%s\n", 
curcert->subjectName, curcert->issuerName);
+               purple_debug_info("nss", "subject=%s issuer=%s\n", 
curcert->subjectName,
+                                                 curcert->issuerName  ? 
curcert->issuerName : "(null)");
                newcrt = x509_import_from_nss(curcert);
                peer_certs = g_list_append(peer_certs, newcrt);
 
@@ -676,7 +677,8 @@ x509_signed_by(PurpleCertificate * crt,
        subjectCert = X509_NSS_DATA(crt);
        g_return_val_if_fail(subjectCert, FALSE);
 
-       if ( PORT_Strcmp(subjectCert->issuerName, issuerCert->subjectName) != 0 
)
+       if (subjectCert->issuerName == NULL
+                       || PORT_Strcmp(subjectCert->issuerName, 
issuerCert->subjectName) != 0)
                return FALSE;
        st = CERT_VerifySignedData(&subjectCert->signatureWrap, issuerCert, 
PR_Now(), NULL);
        return st == SECSuccess;


-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pidgin depends on:
ii  gconf2                  2.22.0-1         GNOME configuration database syste
ii  libatk1.0-0             1.22.0-1         The ATK accessibility toolkit
ii  libc6                   2.7-18           GNU C Library: Shared libraries
ii  libcairo2               1.6.4-7          The Cairo 2D vector graphics libra
ii  libdbus-1-3             1.2.1-5          simple interprocess messaging syst
ii  libdbus-glib-1-2        0.76-1           simple interprocess messaging syst
ii  libglib2.0-0            2.16.6-1+lenny1  The GLib library of C routines
ii  libgstreamer0.10-0      0.10.19-3        Core GStreamer libraries and eleme
ii  libgtk2.0-0             2.12.12-1~lenny1 The GTK+ graphical user interface 
ii  libgtkspell0            2.0.13-1+b1      a spell-checking addon for GTK's T
ii  libice6                 2:1.0.4-1        X11 Inter-Client Exchange library
ii  libpango1.0-0           1.20.5-3+lenny1  Layout and rendering of internatio
ii  libpurple0              2.4.3-4lenny2    multi-protocol instant messaging l
ii  libsm6                  2:1.0.3-2        X11 Session Management library
ii  libstartup-notification 0.9-1            library for program launch feedbac
ii  libx11-6                2:1.1.5-2        X11 client-side library
ii  libxss1                 1:1.1.3-1        X11 Screen Saver extension library
ii  perl                    5.10.0-19        Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10 5.10.0-19        minimal Perl system
ii  pidgin-data             2.4.3-4lenny2    multi-protocol instant messaging c

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins- 0.10.19-2         GStreamer plugins from the "base" 
ii  gstreamer0.10-plugins- 0.10.8-4.1~lenny1 GStreamer plugins from the "good" 

Versions of packages pidgin suggests:
ii  evolution-data-server  2.22.3-1.1+lenny1 evolution database backend server
ii  gnome-panel            2.20.3-5          launcher and docking facility for 
ii  libsqlite3-0           3.5.9-6           SQLite 3 shared library

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to