[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]

Paul Aurich paul at darkrain42.org
Wed Aug 12 22:31:49 EDT 2009

I'm going to respond to this with something along the lines of the text
below. Commends and feedback, please.

"Thanks for the PoC code. We will have a patch and new release ready by the

We've verified this issue in the code and believe it impacts all versions
of Pidgin and Gaim starting with 0.79*.

The default privacy settings allow any remote entity to contact an MSN
user, so the attacker need not be in the victim's buddy list.  The attack
is mitigated if a user sets the privacy settings for MSN accounts to "Allow
only the users below " (which defaults to the list of people on the buddy

We will be releasing Pidgin 2.5.9, which will contain a patch just for this

I looked at the commit log for when that code was originally committed
(4d5eff348be7221d4bd4f2758020722bbae1bf30), and it looks a lot like this
has been an issue since then.

Do we still plan on releasing 2.5.9 with just the patch? Will we release
2.6.0 at the same time?


And Paul Aurich spoke on 08/10/2009 01:17 PM, saying:
> -------- Original Message --------
> Subject: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727
> Date: Mon, 10 Aug 2009 17:09:51 -0300
> From: Core Security Advisories Team (jo)
> <advisories-publication at coresecurity.com>
> Organization: Core Security Technologies
> To: Luke Schierer <lschiere at pidgin.im>,  darkrain42 at pidgin.im
> CC: Core Security Advisories Team (jo)
> <advisories-publication at coresecurity.com>, Federico Muttis <acid at corest.com>
> References: <4A6E328C.2090507 at coresecurity.com>
> <3FB270B3-D400-4E91-8AC2-364B12ED268F at pidgin.im>
> <4A6F56B4.10505 at coresecurity.com>
> <3B877F37-FDF3-4820-B13B-9AB8D22FB6E9 at pidgin.im>
> <4A70C622.7050906 at coresecurity.com>
> <A40E1518-B0E9-4F6C-9F87-195E90F9E5C6 at pidgin.im>
> <4A71D592.5090407 at coresecurity.com>
> <DE0DB244-09F1-4F20-AC15-2F818134AB3C at pidgin.im>
> <4A733A70.8060108 at coresecurity.com>
> Hi Luke and Paul,
> Do you have any update on the bug Federico found? Please send us any
> version/patch information you have. Also we include in our advisories a
> Vendor Section including workarounds and solutions. Please send us
> content for that section if you want to include something.
> Cheers,
> Jose.
> Core Security Advisories Team (jo) escribió:
>> Luke,
>> Here is the PoC that triggers the bug. To run exploit.py you must first
>> edit msnclient.py:
>>        # Setup some MSN accounts
>>        self.account = "Attacker MSN account"
>>        self.password = "Attacker password"
>>        self.victim = "Victim MSN Account"
>>        self.display_name = "My Display Name"
>>        # Set your proxy if you need it, with this format:
>>        #self.proxy = ""
>>        # Else, leave it blank.
>>        self.proxy = ""
>> Don't hesitate to write if you have any doubt or comment.
>> Regards,
>> Jose.
>> Luke Schierer escribió:
>>> We have looked into the code and we're not sure how this can be triggered.
>>> You have outlined a two-step process. For the second step, you say
>>> buffer is NULL, thus allowing a memcpy to an arbitrary location.
>>> However, we don't see how this could happen. The buffer should either
>>> have been allocated in the first step, or if that fails, the original
>>> message would be destroyed. And without that, the second part could
>>> not occur. So, how are you getting buffer to be NULL?
>>> Thanks!
>>> Luke
>>> On Jul 30, 2009, at 13:17 EDT, Core Security Advisories Team (jo) wrote:
>>>> Hi,
>>>> I am attaching a preliminary version of the advisory, written by
>>>> Federico Muttis, encrypted with Luke's key. Don't hesitate to write back
>>>> if you have any doubts or comments.  We are planning to release the
>>>> advisory on August 18th, 2009.
>>>> Regards,
>>>> Jose.
>>>> --José I. Orlicki
>>>> Advisories Team
>>>> Core Security Technologies
>>> http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory
>>>> <pidgin-1.txt.pgp>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090812/465d4ee8/attachment.pgp>

More information about the Packagers mailing list