Upcoming Pidgin security disclosures

Mark Doliner mark at kingant.net
Thu Aug 18 05:14:18 EDT 2011 

Hi packagers of Pidgin, Finch and libpurple.  Please don't publicly
release the information or tarballs contained in this email until
after the embargo date!

There are two security problems we'd like to let you know about.
1. Remote crash in IRC protocol plugin.  We've already talked about
this one--Ethan emailed this list about it on July 16.  The
information is semi-public.  The issue was discovered by Djego Ibanez.
 We do not yet have a CVE#.  We'll request a CVE# via the oss-security
mailing list shortly before the embargo date.

2. Remote crash in MSN protocol plugin (yes, another one).  You
haven't heard about this one yet.  Caused by incorrect handling of
HTTP 100 Continue responses from MSN servers when using the HTTP
connection method.  The HTTP connection method is not a default
setting--it must have been enabled by the user for them to be
susceptible to this attack.  We believe it is not possible to execute
code.  It is possible for the server to trigger a crash.  We do not
know whether it is possible for a remote user to trigger a crash, but
it seems unlikely to us.  This bug isn't too bad, so my preference is
to NOT get a CVE# for it.  But if people think a CVE# is a good idea
then let's do it.  This bug is not public knowledge--it was reported
directly to us by Marius Wachtler.

Patches for both issues are attached.  (And again, you've already seen
the irc patch in an earlier email.)  The patches apply against Pidgin
trunk.  I didn't check whether they apply clean to 2.9.0, but I
wouldn't expect any major problems.

Tarballs for the not-yet-released Pidgin 2.10.0 can be found here:
http://pidgin.im/~markdoliner/wj23JA3j2Mz9/

The embargo date is 10am PDT Saturday August 20th.  That's 17:00 UTC
Saturday August 20th.

Please don't publicly release the information or tarballs contained in
this email until after the embargo date!  Thanks,
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: irc_who_fix.diff
Type: text/x-patch
Size: 2662 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110818/ecf21fa0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msn_http_100_response_handling.diff
Type: text/x-patch
Size: 412 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110818/ecf21fa0/attachment-0001.bin>

More information about the Packagers mailing list