Re: Pidgin SSL issue - proposed-updates

To: debian-release@lists.debian.org
Subject: Re: Pidgin SSL issue - proposed-updates
From: Ari Pollak <ari@debian.org>
Date: Wed, 26 Aug 2009 10:34:04 -0400
Message-id: <[🔎] 4A9547DC.7030408@debian.org>
In-reply-to: <[🔎] 20090824135423.GA7244@kelgar.0x539.de>
References: <[🔎] 4A929516.6040700@debian.org> <[🔎] 20090824135423.GA7244@kelgar.0x539.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Philipp Kern wrote:
> On Mon, Aug 24, 2009 at 09:26:46AM -0400, Ari Pollak wrote:
>> Bug #542891 covers a security bug that will probably be getting a CVE
>> number and affects all supported versions of Debian, but the security
>> team indicated that it isn't important enough to warrant a DSA. So I was
>> planning on uploading an update to lenny and etch with the fix.
> 
> That's ok.  It would be cool however if you could post debdiffs for
> both before you upload them to proposed-updates.

Here's the diff for lenny. Apparently etch isn't affected by this bug
since it never claimed to require SSL/TLS, so I won't be updating that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkqVR6AACgkQwO+u47cOQDsQ7QCgiy/BtpNOr4bXuWycFlLqcgR1
3KUAnAlNnRmEyisdwECAfyL3X3ozaKNX
=gyK9
-----END PGP SIGNATURE-----

diff -Nru pidgin-2.4.3/debian/changelog pidgin-2.4.3/debian/changelog
--- pidgin-2.4.3/debian/changelog	2009-08-26 14:31:07.000000000 +0000
+++ pidgin-2.4.3/debian/changelog	2009-08-26 14:31:08.000000000 +0000
@@ -1,3 +1,11 @@
+pidgin (2.4.3-4lenny4) stable; urgency=medium
+
+  * debian/patches/35_xmpp-require-ssl.patch:
+    - Fix XMPP not properly enforcing "Require SSL/TLS" on some older 
+      servers (Closes: #542891)
+
+ -- Ari Pollak <ari@debian.org>  Tue, 25 Aug 2009 09:53:14 -0400
+
 pidgin (2.4.3-4lenny3) stable-security; urgency=low
 
   * debian/patches/33_ssl-nss-self-signed-crash.patch:
diff -Nru pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch
--- pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch	1970-01-01 00:00:00.000000000 +0000
+++ pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch	2009-08-26 14:31:08.000000000 +0000
@@ -0,0 +1,28 @@
+#
+#
+# patch "libpurple/protocols/jabber/auth.c"
+#  from [c6da33813f947a747b08aec752db34db121516fd]
+#    to [4846e5134fd09bde6ad21cd0b75b64693e90e5ea]
+#
+============================================================
+--- libpurple/protocols/jabber/auth.c	c6da33813f947a747b08aec752db34db121516fd
++++ libpurple/protocols/jabber/auth.c	4846e5134fd09bde6ad21cd0b75b64693e90e5ea
+@@ -689,6 +689,18 @@ void jabber_auth_start_old(JabberStream 
+ 	JabberIq *iq;
+ 	xmlnode *query, *username;
+ 
++	/* We can end up here without encryption if the server doesn't support
++	 * <stream:features/> and we're not using old-style SSL.  If the user
++	 * is requiring SSL/TLS, we need to enforce it.
++	 */
++	if (js->gsc == NULL &&
++			purple_account_get_bool(purple_connection_get_account(js->gc), "require_tls", FALSE)) {
++		purple_connection_error_reason (js->gc,
++			PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR,
++			_("You require encryption, but it is not available on this server."));
++		return;
++	}
++
+ #ifdef HAVE_CYRUS_SASL
+ 	/* If we have Cyrus SASL, then passwords will have been set
+ 	 * to OPTIONAL for this protocol. So, we need to do our own

Attachment: pidgin_2.4.3-4lenny4.debdiff.sig
Description: Binary data

Reply to:

Follow-Ups:
- Re: Pidgin SSL issue - proposed-updates
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Pidgin SSL issue - proposed-updates
  - From: Ari Pollak <ari@debian.org>
- Re: Pidgin SSL issue - proposed-updates
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Stable update for python-support
Next by Date: Re: will 2.6 be default?
Previous by thread: Re: Pidgin SSL issue - proposed-updates
Next by thread: Re: Pidgin SSL issue - proposed-updates
Index(es):
- Date
- Thread