Multiple remotely-triggerable crashes in libpurple

John Bailey rekkanoryo at
Thu Oct 14 20:44:46 EDT 2010

On 10/14/2010 07:59 AM, Jan Lieskovsky wrote:
>> Thank you!  I plan to draft a smaller summary of the original
>> disclosure I
>> posted here for use on our website.  I'll post it here once I have
>> drafted it.
> Ok, good.

The draft of the shorter text is as follows:

CVE: CVE-2010-3711

Discovered by: Daniel Atallah

Summary: Multiple remotely-triggered denials of service

It has been discovered that eight denial of service conditions exist in
libpurple all due to insufficient validation of the return value from
purple_base64_decode().  Invalid or malformed data received in place of a valid
base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP
protocol plugins and the NTLM authentication support trigger a crash.  These
vulnerabilities can be leveraged by a remote user for denial of service.

Fixed in revision: <not yet available>

Fixed in version: 2.7.4 <not yet available>

Fix: Check the return value from purple_base64_decode() before trying to use it.

>> I've never dealt with vendor-sec.  Any assistance in that regard is
>> quite welcome.
> Ok, great. We will post a short notification to vendor-sec then. But
> prior doing
> that would like to request you for the approval to privately share your
> original
> post to this list together with patches, is someone requests them.
> We would post hosrt notification and provide further flaws details (your
> original
> notification) on in case, someone (some vendor) requests them.

You have my approval.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Packagers mailing list