Secure testing team - Jul 2008 - Bug#492434: pidgin: Connects to Jabber server with bad SSL certificates without warning

Package: pidgin
Version: 2.4.3-1
Severity: grave
Tags: security
Justification: user security hole

I recently set up a Jabber server.  I used the default snakeoil
certificate.  When I configured Pidgin to connect to my new server,
using SSL, it connected without any complaint whatsoever.

- Josh Triplett

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pidgin depends on:
ii  gconf2                       2.22.0-1    GNOME configuration database syste
ii  libatk1.0-0                  1.22.0-1    The ATK accessibility toolkit
ii  libc6                        2.7-12      GNU C Library: Shared libraries
ii  libcairo2                    1.6.4-6     The Cairo 2D vector graphics libra
ii  libdbus-1-3                  1.2.1-2     simple interprocess messaging syst
ii  libdbus-glib-1-2             0.76-1      simple interprocess messaging syst
ii  libglib2.0-0                 2.16.4-2    The GLib library of C routines
ii  libgstreamer0.10-0           0.10.20-1   Core GStreamer libraries and eleme
ii  libgtk2.0-0                  2.12.11-3   The GTK+ graphical user interface 
ii  libgtkspell0                 2.0.13-1    a spell-checking addon for
GTK''s T
ii  libice6                      2:1.0.4-1   X11 Inter-Client Exchange library
ii  libpango1.0-0                1.20.5-1    Layout and rendering of internatio
ii  libpurple0                   2.4.3-1     multi-protocol instant messaging l
ii  libsm6                       2:1.0.3-2   X11 Session Management library
ii  libstartup-notification0     0.9-1       library for program launch feedbac
ii  libx11-6                     2:1.1.4-2   X11 client-side library
ii  libxss1                      1:1.1.3-1   X11 Screen Saver extension library
ii  perl                         5.10.0-11.1 Larry Wall''s Practical
Extraction
ii  perl-base [perlapi-5.10.0]   5.10.0-11.1 The Pathologically Eclectic Rubbis
ii  pidgin-data                  2.4.3-1     multi-protocol instant messaging c

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins-base    0.10.20-1  GStreamer plugins from the
"base"
ii  gstreamer0.10-plugins-good    0.10.8-4   GStreamer plugins from the
"good"

Versions of packages pidgin suggests:
ii  evolution-data-server         2.22.3-1   evolution database backend server
ii  gnome-panel                   2.20.3-5   launcher and docking facility for 
ii  libsqlite3-0                  3.5.9-3    SQLite 3 shared library

-- no debconf information