Pidgin security vulnerabilities

Mark Doliner mark at kingant.net
Mon Feb 11 04:33:31 EST 2013


*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00
PST, 10:00 EST, 15:00 UTC ***

Hello Pidgin packagers!

I'm sorry to inform you that we're disclosing some security
vulnerabilities in Pidgin and libpurple.  We're releasing Pidgin
2.10.7 this Wednesday (2 and a half days from now) with fixes.  These
issues were all found by static code analysis and not by actual
crashes.  We do not have repo steps for any of them, however we DO
believe they are all remotely triggerable.  The vulnerabilities are:

CVE-2013-0271, discovered by Chris Wysopal, Veracode.
Remote MXit user could specify local file path.
The MXit protocol plugin saves an image to local disk using a filename
that could potentially be partially specified by the IM server or by a
remote user.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=65 after the embargo date.

CVE-2013-0272, discovered by Coverity static analysis.
MXit buffer overflow reading data from network.
The code did not respect the size of the buffer when parsing HTTP
headers, and a malicious server or man-in-the-middle could send
specially crafted data that could overflow the buffer.  This could
lead to a crash or remote code execution.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=66 after the embargo date.

CVE-2013-0273, discovered by Coverity static analysis.
Sametime crash with long user IDs.
libpurple failed to null-terminate user IDs that were longer than 4096
bytes.  It's plausible that a malicious server could send one of these
to us, which would lead to a crash.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=67 after the embargo date.

CVE-2013-0274, discovered by Coverity static analysis.
Crash when receiving a UPnP response with abnormally long values.
libpurple failed to null-terminate some strings when parsing the
response from a UPnP router.  This could lead to a crash if a
malicious user on your network responds with a specially crafted
message.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=68 after the embargo date.

You can download patches and the 2.10.7 release from here:
http://pidgin.im/~markdoliner/aiofFj4se2E9I/
These files are not public!  Please do not distribute them to
end-users until after the embargo (Wednesday 2013-02-13 at 07:00 PST,
10:00 EST, 15:00 UTC).

In addition to the above, we made a change to account for a changed
SSL certificate on some MSN servers.  If your build of Pidgin uses
your own system-wide CA certificate directory then you don't need to
do anything.  If your build of Pidgin installs our bundled CA certs
then I blieve you'll need to patch in this change in order for users
to be able to login to MSN:
http://hg.pidgin.im/pidgin/main/rev/673056a91e3b

Thanks, and please let me know if you have any problems or questions,
Mark

*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00
PST, 10:00 EST, 15:00 UTC ***



More information about the Packagers mailing list