pidgin-microblog plugin & SSL

Quite a while ago, I discovered, that the microblogging plugin from pidgin, pidgin-microblog by somsaks and others has a big security flaw: Using identi.ca, the plugin doesn’t make use of the SSL features of the identi.ca api.
Running dsniff might give a useful output if you’ve forgotten your password (hence you can see your password), but the plugin should use ssl.

Here is the patch:


Index: identica.c
===================================================================
--- identica.c (Revision 390)
+++ identica.c (Arbeitskopie)
@@ -155,7 +155,7 @@
* No HTTPS for Identi.ca for now
*/
_mb_conf[TC_USE_HTTPS].conf = g_strdup("use_https");
- _mb_conf[TC_USE_HTTPS].def_bool = FALSE;
+ _mb_conf[TC_USE_HTTPS].def_bool = TRUE;

_mb_conf[TC_STATUS_UPDATE].conf = g_strdup("status_update");
_mb_conf[TC_STATUS_UPDATE].def_str = g_strdup("/api/statuses/update.xml");

To apply it, just download the source, change into the directory, apply the patch to the file
microblog/identica.c, then run a make && sudo make install to install the plugin. You need pidgin-dev and libpurple-dev to be able to compile the plugin from source. (Check out the Readme)

Finally I can use the pidgin as a microblogging tool, again.

Besides: The Twitter part didn’t have this flaw.

This security issue occurs in the following Debian package:

apt-cache show pidgin-microblog
Package: pidgin-microblog
Version: 0.3.0-3
Installed-Size: 404
Maintainer: Karolina Kalic
Architecture: i386
Depends: libatk1.0-0 (>= 1.12.4), libc6 (>= 2.3.6-6~), libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.8.0), libfreetype6 (>= 2.2.1), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0), libpango1.0-0 (>= 1.14.0), libpurple0 (>= 2.6.0)
Description-en: Microblogging plugins for Pidgin
Pidgin-microblog is a collection of plugins for Pidgin or any other
libpurple based client like Adium or Finch. It implements microbloging
systems to Pidgin. Currently it supports Twitter, Identi.ca, and Status.net
(old Laconi.ca) based servers through the conversation windows.
Homepage: http://code.google.com/p/microblog-purple/
Description-md5: 60fa3158b730f36eba49bfb5aa4fb401
Tag: implemented-in::c, network::client, role::plugin, uitoolkit::gtk,
use::chatting, web::microblog, works-with::im
Section: net
Priority: optional
Filename: pool/main/p/pidgin-microblog/pidgin-microblog_0.3.0-3_i386.deb
Size: 138078
MD5sum: fd4b837c9f45afc146492375e17a09b0
SHA1: c668c21cf8676039273ad956ebe49585206ed606
SHA256: b4460fa596f1decc21d4e88c64dbda30229074bd2fe4a6f6024a41f4b43c18b1

Advertisements

Ein Kommentar

Eingeordnet unter diverses, news

Eine Antwort zu “pidgin-microblog plugin & SSL

  1. Hi Koeart,

    Thank you for spotting this issue and providing a patch for it. Could
    you submit a bug report at BTS (bugs.debian.org) against
    pidgin-microblog with attached patch with proper meta information in
    it? Or you can contact the upstream author to apply this change in the
    next release, because this an issue with upstream source, not with
    Debian packaging.

    Kind regards,
    Karolina

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s