Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#4680 closed defect

Pidgin segfaults on msn connect (SSL Certificate Error)

Reported by: erythro Owned by: khc
Milestone: Component: MSN
Version: 2.3.1 Keywords: crash, segfault, msnp14, ssl certificate error, msn
Cc:

Description

I've recently compiled pidgin with MSNP14. It worked normally for a while, but now it segfaults every time I try to connect to my MSN account. Before it does, a little dialog window pops up titled SSL Certificate Error but it dies before the content loads.

Here's the relevant output from -d:

(17:25:32) certificate/x509/tls_cached: Starting verify for rsi.hotmail.com
(17:25:32) certificate/x509/tls_cached: Checking for cached cert...
(17:25:32) certificate/x509/tls_cached: ...Not in cache
(17:25:32) gnutls/x509: Certificate for C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com claims to be issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, but the certificate for C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com does not match.
(17:25:32) certificate: Checking signature chain for uid=C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com
(17:25:32) certificate: ...Singleton. We'll say it's valid.
(17:25:32) certificate/x509/tls_cached: Checking for a CA with DN=DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(17:25:32) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Equifax_Secure_CA.pem
(17:25:32) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Equifax_Secure_CA.pem
(17:25:32) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem
(17:25:32) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem
(17:25:32) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
(17:25:32) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
(17:25:32) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
(17:25:32) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
(17:25:32) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
(17:25:32) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
(17:25:32) certificate/x509/ca: Lazy init completed.
(17:25:32) gnutls/x509: Bad signature for DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com
(17:25:33) certificate: Failed to verify certificate for rsi.hotmail.com
(17:25:33) msnoim: Failed to get OIM
(17:25:33) msn: S: SB 001: USR 1 OK xxxxxxxx@gmail.com Alon
(17:25:33) MSNP14: get payload len:0
(17:25:33) msn: C: SB 001: CAL 2 xxxxxxxx@hotmail.co.il
Pidgin 2.3.1 has segfaulted and attempted to dump a core file.

Here's the backtrace:

Starting program: /usr/local/bin/pidgin 
[Thread debugging using libthread_db enabled]
[New Thread -1224018240 (LWP 9648)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1224018240 (LWP 9648)]
0xb72700a3 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt full
#0  0xb72700a3 in ?? () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1  0xb75d924c in g_value_unset () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#2  0xb72721bd in ?? () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#3  0x08874a48 in ?? ()
No symbol table info available.
#4  0xb734f170 in ?? () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#5  0xb759521c in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xbfd1c5b8 in ?? ()
No symbol table info available.
#7  0xb75327a7 in g_get_charset () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#8  0xb7273fc0 in malloc () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#9  0xb750f8c3 in g_try_malloc () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#10 0xb74fa72b in g_file_get_contents () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#11 0xb76697c3 in read_icon_file (path=0x877c8e8 "/home/alon/.purple/icons/dcffc1f2f5f6080bffbc09d10588737d489ffc29.jpg", data=0x8890940, len=0x877c948)
    at buddyicon.c:570
        err = (GError *) 0x0
#12 0xb766b032 in purple_buddy_icons_find (account=0x818e978, username=0x83e2660 "xxxxxxx@hotmail.com") at buddyicon.c:621
        path = 0x877c8e8 "/home/alon/.purple/icons/dcffc1f2f5f6080bffbc09d10588737d489ffc29.jpg"
        icon = (PurpleBuddyIcon *) 0x0
        __PRETTY_FUNCTION__ = "purple_buddy_icons_find"
#13 0x080748bd in pidgin_blist_get_buddy_icon (node=<value optimized out>, scaled=1, greyed=1) at gtkblist.c:2446
        scale_size = <value optimized out>
        buf = <value optimized out>
        ret = <value optimized out>
        loader = <value optimized out>
        icon = (PurpleBuddyIcon *) 0x80ee789
        data = (const guchar *) 0x1 <Address 0x1 out of bounds>
        len = 30529608
        buddy = (PurpleBuddy *) 0x83e24a0
        account = <value optimized out>
        prpl_info = (PurplePluginProtocolInfo *) 0xb6464c80
        custom_img = (PurpleStoredImage *) 0x0
#14 0x0807d3e1 in buddy_node (buddy=0x83e24a0, iter=0xbfd1d97c, node=0x83e25d0) at gtkblist.c:5744
        presence = (PurplePresence *) 0x83e2680
        status = (GdkPixbuf *) 0x82acab8
        avatar = <value optimized out>
        emblem = <value optimized out>
        prpl_icon = <value optimized out>
        mark = <value optimized out>
        idle = <value optimized out>
        expanded = 0
        selected = <value optimized out>
        biglist = 1
#15 0x0807d6d4 in pidgin_blist_update_contact (list=0x82eaa38, node=<value optimized out>) at gtkblist.c:5878
        iter = {stamp = 1016764524, user_data = 0x83714b0, user_data2 = 0x0, user_data3 = 0xffffffff}
        cnode = (PurpleBlistNode *) 0x83e25d0
        buddy = (PurpleBuddy *) 0x83e24a0
        __PRETTY_FUNCTION__ = "pidgin_blist_update_contact"
#16 0x0807d726 in pidgin_blist_update_buddy (list=0x82eaa38, node=0x8890940, status_change=142068040) at gtkblist.c:5900
        buddy = <value optimized out>
        __PRETTY_FUNCTION__ = "pidgin_blist_update_buddy"
#17 0x0807da2e in pidgin_blist_update (list=0x82eaa38, node=0x83e24a0) at gtkblist.c:6013
No locals.
#18 0xb76666e9 in purple_blist_update_buddy_status (buddy=0x83e24a0, old_status=0x83e2da8) at blist.c:804
        ops = (PurpleBlistUiOps *) 0x8101c60
        presence = <value optimized out>
        status = (PurpleStatus *) 0x83e25a0
        __PRETTY_FUNCTION__ = "purple_blist_update_buddy_status"
#19 0xb7697d6b in purple_prpl_got_user_status (account=0x818e978, name=0x873a890 "xxxxxxx@hotmail.com", status_id=0xb645c6e4 "available") at prpl.c:167
        list = (GSList *) 0x89adb30
        l = (GSList *) 0x89adb30
        buddy = (PurpleBuddy *) 0x83e24a0
        presence = <value optimized out>
        status = (PurpleStatus *) 0x83e25a0
        old_status = (PurpleStatus *) 0x83e2da8
        args = 0xbfd1dadc "��E�"
        __PRETTY_FUNCTION__ = "purple_prpl_got_user_status"
#20 0xb64547ec in msn_user_update (user=0x873a920) at user.c:99
        account = (PurpleAccount *) 0x818e978
#21 0xb6445a63 in iln_cmd (cmdproc=0x827b2f8, cmd=0x873da00) at notification.c:1068
        session = (MsnSession *) 0x86f9f40
        gc = (PurpleConnection *) 0x86f9e80
        user = (MsnUser *) 0x873a920
        msnobj = <value optimized out>
        state = 0x872e488 "NLN"
        passport = 0x877b188 "xxxxxxx@hotmail.com"
        friendly = 0xb76fffa0 "<msnobj Creator=\"xxxxxx@hotmail.com\" Type=\"3\" SHA1D=\"3P/B8vX2CAv/vAnRBYhzfUif/Ck=\" Size=\"3529\" Location=\"0\" Friendly=\"RABTAEMAXwA2ADEAMAA5AAAA\"/>"
#22 0xb64340b6 in msn_cmdproc_process_cmd (cmdproc=0x827b2f8, cmd=0x873da00) at cmdproc.c:315
        error_cb = <value optimized out>
        cb = (MsnTransCb) 0x877c948
        trans = (MsnTransaction *) 0x8782330
#23 0xb6434224 in msn_cmdproc_process_cmd_text (cmdproc=0x827b2f8, 
    command=0x8992e30 "ILN 11 NLN xxxxxxx@hotmail.com 1 Tomer 1985859644 %3Cmsnobj%20Creator%3D%22xxxxxx%40hotmail.com%22%20Type%3D%223%22%20SHA1D%3D%223P%2FB8vX2CAv%2FvAnRBYhzfUif%2FCk%3D%22%20Size%3D%223529%22%20Locati"...) at cmdproc.c:337
No locals.
#24 0xb6448be6 in read_cb (data=0x86f9c70, source=15, cond=PURPLE_INPUT_READ) at servconn.c:457
        buf = "ILN 11 NLN xxxxxxx@hotmail.com 1 Tomer 1985859644 %3Cmsnobj%20Creator%3D%22xxxxxxx%40hotmail.com%22%20Type%3D%223%22%20SHA1D%3D%223P%2FB8vX2CAv%2FvAnRBYhzfUif%2FCk%3D%22%20Size%3D%223529%22%20Locati"...
        end = 0x8992f39 "UBX xxxxxxx@hotmail.com 1 118\r\n<Data><PSM></PSM><CurrentMedia></CurrentMedia><MachineGuid>{20FEF6E7-2BCB-47E7-9FD5-D08DDDD64071}</MachineGuid></Data>"
        old_rx_buf = 0x8992e30 "ILN 11 NLN xxxxxx@hotmail.com 1 Tomer 1985859644 %3Cmsnobj%20Creator%3D%22xxxxxx%40hotmail.com%22%20Type%3D%223%22%20SHA1D%3D%223P%2FB8vX2CAv%2FvAnRBYhzfUif%2FCk%3D%22%20Size%3D%223529%22%20Locati"...
        len = <value optimized out>
        cur_len = <value optimized out>
#25 0x080a4673 in pidgin_io_invoke (source=0x86fa430, condition=G_IO_IN, data=0x81189f8) at gtkeventloop.c:78
        purple_cond = PURPLE_INPUT_READ
#26 0xb75376ed in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#27 0x086fa430 in ?? ()
No symbol table info available.
#28 0x00000001 in ?? ()
No symbol table info available.
#29 0x081189f8 in ?? ()
No symbol table info available.
#30 0xb759521c in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#31 0xbfd1fc6c in ?? ()
No symbol table info available.
#32 0x081188e8 in ?? ()
No symbol table info available.
#33 0xbfd1fc88 in ?? ()
No symbol table info available.
#34 0xb750811c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
Backtrace stopped: frame did not save the PC

Change History (8)

comment:1 Changed 11 years ago by datallah

The segfault isn't related to the SSL certificate validation error.

It appears to be crashing within glib when trying to read a buddyicon file from disk, but since there are no debug symbols for the glib portions, it is hard to tell exactly what is going wrong.

comment:2 Changed 11 years ago by khc

Is this reproducible? If I have to guess it's probably a memory corruption, or double free. If this is reproducible try running it under valgrind and see if you get anything more out of it.

comment:3 Changed 11 years ago by khc

  • pending changed from 0 to 1

comment:4 Changed 11 years ago by trac-robot

  • pending changed from 1 to 0
  • Status changed from new to closed

This ticket was closed automatically by the system. It was previously set to a Pending status and hasn't been updated within 14 days.

comment:5 Changed 11 years ago by jjsch

Hi, I have a problem related with this bug using pidgin 2.5 from the mtn database.

Backtrace

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6fa9720 (LWP 21678)]
0xb6d7b08a in msn_oim_request_cb (request=0x8763fd8, response=0x0, req_data=0x85c3ea8) at oim.c:141
141		fault = xmlnode_get_child(response->xml, "Body/Fault");
(gdb) bt full
#0  0xb6d7b08a in msn_oim_request_cb (request=0x8763fd8, response=0x0, req_data=0x85c3ea8) at oim.c:141
	fault = <value optimized out>
	faultcode = <value optimized out>
#1  0xb6d81158 in msn_soap_connection_destroy_foreach_cb (item=0x858d0b0, data=0x8763fe8) at soap.c:617
	req = (MsnSoapRequest *) 0x858d0b0
#2  0xb76db3b1 in g_queue_foreach () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#3  0xb6d815d5 in msn_soap_connection_destroy (conn=0x8763fe8) at soap.c:632
No locals.
#4  0xb76bdbd4 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#5  0xb76be2f8 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#6  0xb6d822b0 in msn_soap_error_cb (ssl=0x8760230, error=PURPLE_SSL_CERTIFICATE_INVALID, data=0x8763fe8) at soap.c:180
No locals.
#7  0xb6d5774b in ssl_gnutls_verified_cb (st=PURPLE_CERTIFICATE_INVALID, userdata=0x87503c0) at ssl-gnutls.c:99
No locals.
#8  0xb75f2949 in purple_certificate_verify_complete (vrq=0x858f430, st=137773096) at certificate.c:105
	__PRETTY_FUNCTION__ = "purple_certificate_verify_complete"
#9  0xb75f38bc in x509_tls_cached_unknown_peer (vrq=0x858f430) at certificate.c:1417
	ca = (PurpleCertificatePool *) 0xb768cae0
	tls_peers = <value optimized out>
	end_crt = (PurpleCertificate *) 0x858cd00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) quit

Debug information

(22:54:30) gnutls: Handshake complete
(22:54:30) gnutls/x509: Key print: 87:e7:54:cd:fc:e1:ab:f3:d7:4c:2d:40:a3:e1:c0:3d:92:32:28:d7
(22:54:30) gnutls: Peer provided 1 certs
(22:54:30) gnutls: Lvl 0 SHA1 fingerprint: 87:e7:54:cd:fc:e1:ab:f3:d7:4c:2d:40:a3:e1:c0:3d:92:32:28:d7
(22:54:30) gnutls: Serial: 38:4f:67:5a:00:04:00:00:a3:90
(22:54:30) gnutls: Cert DN: C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com
(22:54:30) gnutls: Cert Issuer DN: DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(22:54:30) certificate/x509/tls_cached: Starting verify for rsi.hotmail.com
(22:54:30) certificate/x509/tls_cached: Checking for cached cert...
(22:54:30) certificate/x509/tls_cached: ...Not in cache
(22:54:30) gnutls/x509: Certificate for C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com claims to be issued by DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority, but the certificate for C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com does not match.
(22:54:30) certificate: Checking signature chain for uid=C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com
(22:54:30) certificate: ...Singleton. We'll say it's valid.
(22:54:30) certificate/x509/tls_cached: Checking for a CA with DN=DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/Equifax_Secure_CA.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/Equifax_Secure_CA.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/StartCom_Free_SSL_CA.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/StartCom_Free_SSL_CA.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/CAcert_Root.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/CAcert_Root.pem
(22:54:30) gnutls: Attempting to load X.509 certificate from /usr/local/share/purple/ca-certs/CAcert_Class3.pem
(22:54:30) certificate/x509/ca: Loaded /usr/local/share/purple/ca-certs/CAcert_Class3.pem
(22:54:30) certificate/x509/ca: Lazy init completed.
(22:54:30) gnutls/x509: Bad signature for DC=com,DC=microsoft,DC=corp,DC=redmond,CN=Microsoft Secure Server Authority on C=US,ST=California,L=Mountain View,O=Microsoft,OU=MSN Hotmail,CN=rsi.hotmail.com
(22:54:30) certificate: Failed to verify certificate for rsi.hotmail.com

comment:6 Changed 11 years ago by jjsch

Hi,

I fix my problem doing this changes:

At function msn_oim_request_cb of oim.c, before to call fault = xmlnode_get_child(response->xml, "Body/Fault?"); I check if response is valid.

if( response )

fault = xmlnode_get_child(response->xml, "Body/Fault?");

Thanks a lot. Juan

comment:7 Changed 11 years ago by khc

this is fixed I think

comment:8 Changed 11 years ago by jjsch

Hi,

The fix only resolve the pidgin hang, but the problem with the certificate not.

Regards Juan

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!