Remote crashes being fixed in Pidgin 2.6.6
Mark Doliner
mark at kingant.net
Tue Feb 16 04:51:49 EST 2010
Here's an update!
* 3 separate security issues
* Not yet public knowledge
* Pidgin 2.6.6 has been created, but NOT YET RELEASED TO THE PUBLIC.
I'll send the tarballs in separate emails to avoid making this email
huge.
* Patches to fix the issues are attached. These are what went into
2.6.6. They apply to 2.6.2 with just a little fuzz and offsets and
should work fine. Anything older will need manual intervention for at
least one of the changes. ALSO NOT YET PUBLIC
* Embargo date is GMT 08:00:00am Feb 18 for all information, including
the patches and the tarball
* We'll release Pidgin 2.6.6 and push the changes to our code
repository shortly after the embargo date
1. CVE-2010-0277 - "MSN SLP Remote Crash"
This is the crash discovered by Fabian Yamaguchi and mentioned at
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html, but I
don't feel that there are enough published details about this for it
to be considered public. I do not know if there is potential for
remote code execution.
2. CVE-2010-0420 - "Finch XMPP MUC Crash"
Discovered by Sadrul Habib Chowdhury last week. In an XMPP MUC, if
someone changes the nick to '<br>' (using '/nick <br>' for example),
then libpurple ends up having two users with username '\n' in the
room, and finch crashes in this situation. We do not believe there is
a possibility of remote code execution.
I believe this commit fixes the problem, and there is a patch attached
to add an extra safety check to Finch:
http://developer.pidgin.im/viewmtn/revision/info/0085c32abf29d034d30feef1ffb1d483e316a9a8
3. CVE-2010-0423 - "Smiley Denial of Service"
Pidgin becomes unresponsive and consumes lots of CPU when receiving an
IM containing many smileys. This is a remote denial of service
attack, but is not exploitable in any other way. It was reported to
us by Andrea Barisani of ocert. I did revise the previous patch.
--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0277.diff
Type: text/x-patch
Size: 3923 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100216/1facd543/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0420.diff
Type: text/x-patch
Size: 630 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100216/1facd543/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0423.diff
Type: text/x-patch
Size: 4362 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100216/1facd543/attachment-0002.bin>
More information about the Packagers
mailing list