[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]

Paul Aurich paul at darkrain42.org
Wed Aug 12 22:31:49 EDT 2009 

I'm going to respond to this with something along the lines of the text
below. Commends and feedback, please.

"Thanks for the PoC code. We will have a patch and new release ready by the
18th.

We've verified this issue in the code and believe it impacts all versions
of Pidgin and Gaim starting with 0.79*.

The default privacy settings allow any remote entity to contact an MSN
user, so the attacker need not be in the victim's buddy list.  The attack
is mitigated if a user sets the privacy settings for MSN accounts to "Allow
only the users below " (which defaults to the list of people on the buddy
list).

We will be releasing Pidgin 2.5.9, which will contain a patch just for this
exploit."



I looked at the commit log for when that code was originally committed
(4d5eff348be7221d4bd4f2758020722bbae1bf30), and it looks a lot like this
has been an issue since then.

Do we still plan on releasing 2.5.9 with just the patch? Will we release
2.6.0 at the same time?

~Paul

And Paul Aurich spoke on 08/10/2009 01:17 PM, saying:
> 
> -------- Original Message --------
> Subject: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727
> Date: Mon, 10 Aug 2009 17:09:51 -0300
> From: Core Security Advisories Team (jo)
> <advisories-publication at coresecurity.com>
> Organization: Core Security Technologies
> To: Luke Schierer <lschiere at pidgin.im>,  darkrain42 at pidgin.im
> CC: Core Security Advisories Team (jo)
> <advisories-publication at coresecurity.com>, Federico Muttis <acid at corest.com>
> References: <4A6E328C.2090507 at coresecurity.com>
> <3FB270B3-D400-4E91-8AC2-364B12ED268F at pidgin.im>
> <4A6F56B4.10505 at coresecurity.com>
> <3B877F37-FDF3-4820-B13B-9AB8D22FB6E9 at pidgin.im>
> <4A70C622.7050906 at coresecurity.com>
> <A40E1518-B0E9-4F6C-9F87-195E90F9E5C6 at pidgin.im>
> <4A71D592.5090407 at coresecurity.com>
> <DE0DB244-09F1-4F20-AC15-2F818134AB3C at pidgin.im>
> <4A733A70.8060108 at coresecurity.com>
> 
> 
> Hi Luke and Paul,
> 
> Do you have any update on the bug Federico found? Please send us any
> version/patch information you have. Also we include in our advisories a
> Vendor Section including workarounds and solutions. Please send us
> content for that section if you want to include something.
> 
> Cheers,
> Jose.
> 
> 
> Core Security Advisories Team (jo) escribió:
>> Luke,
>>
>> Here is the PoC that triggers the bug. To run exploit.py you must first
>> edit msnclient.py:
>>
>>        # Setup some MSN accounts
>>        self.account = "Attacker MSN account"
>>        self.password = "Attacker password"
>>        self.victim = "Victim MSN Account"
>>        self.display_name = "My Display Name"
>>
>>        # Set your proxy if you need it, with this format:
>>        #self.proxy = "192.168.254.254:80"
>>        # Else, leave it blank.
>>        self.proxy = ""
>>
>> Don't hesitate to write if you have any doubt or comment.
>>
>> Regards,
>> Jose.
>>
>> Luke Schierer escribió:
>>> We have looked into the code and we're not sure how this can be triggered.
>>> You have outlined a two-step process. For the second step, you say
>>> buffer is NULL, thus allowing a memcpy to an arbitrary location.
>>> However, we don't see how this could happen. The buffer should either
>>> have been allocated in the first step, or if that fails, the original
>>> message would be destroyed. And without that, the second part could
>>> not occur. So, how are you getting buffer to be NULL?
>>>
>>> Thanks!
>>>
>>> Luke
>>>
>>> On Jul 30, 2009, at 13:17 EDT, Core Security Advisories Team (jo) wrote:
>>>
>>>
>>>> Hi,
>>>> I am attaching a preliminary version of the advisory, written by
>>>> Federico Muttis, encrypted with Luke's key. Don't hesitate to write back
>>>> if you have any doubts or comments.  We are planning to release the
>>>> advisory on August 18th, 2009.
>>>> Regards,
>>>> Jose.
>>>> --José I. Orlicki
>>>> Advisories Team
>>>> Core Security Technologies
>>>>
>>> http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory
>>>
>>>> <pidgin-1.txt.pgp>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090812/465d4ee8/attachment.pgp>

More information about the Packagers mailing list