REDHAT-BUG-1025718

First published: Fri Nov 01 2013(Updated: )

Libgadu, an open library for communicating using the protocol e-mail, was found to have missing the ssl certificate validation. The issue is that libgadu uses openSSL library for creating secure connections. A program using openSSL can perform SSL handshake by invoking the SSL_connect function. Some cetrificate validation errors are signaled through, the return values of the SSL_connect, while for the others errors SSL_connect returns OK but sets internal "verify result" flags. Application must call ssl_get_verify_result function to check if any such errors occurred. This check seems to be missing in libgadu. And thus a man-in-the-middle attack is possible failing all the SSL protection. Upstream suggested that it was a concious decision as libgadu is reverse-engineered implementation of a proprietary protocol, they had no control over the certificates used for SSL connections, so they would add a note to the documentation about this. References: <a href="http://seclists.org/oss-sec/2013/q4/202">http://seclists.org/oss-sec/2013/q4/202</a> <a href="https://bugzilla.novell.com/show_bug.cgi?id=848509">https://bugzilla.novell.com/show_bug.cgi?id=848509</a> <a href="http://www.mail-archive.com/libgadu-devel@lists.ziew.org/msg01017.html">http://www.mail-archive.com/libgadu-devel@lists.ziew.org/msg01017.html</a>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/first-publish-date
• agent/last-modified-date
• agent/type
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2013-4488
• agent/severity
• agent/references
• agent/event
• agent/description
• agent/trending
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/libgadu
• canonical/centos libgcc
• vendor/openssl
• canonical/openssl