FS#31417 : [pidgin] Use GnuTLS for SSL support, instead of NSS

FS#31417 - [pidgin] Use GnuTLS for SSL support, instead of NSS

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Wednesday, 05 September 2012, 10:05 GMT
Last edited by Evangelos Foutras (foutrelis) - Wednesday, 05 September 2012, 12:56 GMT

Task Type	Feature Request
Category	Packages: Extra
Status	Closed
Assigned To	Evangelos Foutras (foutrelis)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Hello,

Given this recent bug report and the potential security implications, I think it would be wise to rebuild pidgin with GnuTLS support instead of NSS :

http://developer.pidgin.im/ticket/15308

In short, libpurple is highly vulnerable to MITM attacks when the NSS plugin is used, which is the case in the current Archlinux package.

Attached is a simple patch to the PKGBUILD file in order to do just that.

Thanks,

pidgin_gnutls_support.patch (1.1 KiB)

This task depends upon

Closed by Evangelos Foutras (foutrelis)
Wednesday, 05 September 2012, 12:56 GMT
Reason for closing: Not a bug
Additional comments about closing: No worries.

Comment by Evangelos Foutras (foutrelis) - Wednesday, 05 September 2012, 12:42 GMT

Pidgin developer Daniel Atallah clarified [1] that the NSS plugin validates the certificate using purple_certificate_verify().

[1] http://developer.pidgin.im/ticket/15308#comment:3

Comment by Remi Gacogne (rgacogne) - Wednesday, 05 September 2012, 12:55 GMT

Hi,

You are right, I should have waited for a confirmation of the issue. I am really sorry for the waste of time.

Regards,

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#31417 - [pidgin] Use GnuTLS for SSL support, instead of NSS

Details

Loading...