Pidgin security vulnerabilities and 2.10.8

Wed Jan 22 04:10:08 EST 2014

*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Tuesday 2013-01-28 at 07:00
PST, 10:00 EST, 15:00 UTC ***

Hello Pidgin packagers!

I'm sorry to inform you that we're disclosing a lot of security
vulnerabilities in Pidgin and libpurple. We're releasing Pidgin 2.10.8
seven days from now with fixes. The issues were found by various
people over the past year. Most were reported to us privately. A few
might be public but mostly under the radar. Some of them are
null-pointer references while others have potential for remote code
execution. Some are only triggerable by a malicious server while
others can be triggered by a remote user. The vulnerabilities are
enumerated at the bottom of this email.

Our 2.x.y branch is intended to be stable. While there ARE a few minor
feature changes, the majority of the changes between 2.10.7 and 2.10.8
are bug fixes (for the security bugs mentioned in this email as well
as less critical bugs). It depends on the policy for your
distribution, of course, but I think upgrading to 2.10.8 is a fine
option. I've also uploaded diffs of each of the fixes--they'll
hopefully apply to older versions of Pidgin without too much effort.

You can find patches and 2.10.8 tarballs at
https://pidgin.im/~markdoliner/pidgin-2.10.8-lFaN3jWtCRFJAi3jajfJpPuar327/

The tarballs are signed with my new PGP key, key ID A40AB77B.

And please let me know if something looks amiss, or I left off some
info, or something doesn't work, or if you have any questions at all.

-----

CVE-2012-6152, discovered by Thijs Alkemade and Robert Vehse
Yahoo! remote crash from incorrect character encoding.
Many places in the Yahoo! protocol plugin assumed incoming strings
were UTF-8 and failed to transcode from non-UTF-8 encodings.  This can
lead to a crash when receiving strings that aren't UTF-8.

-----

CVE-2013-6477, discovered by Jaime Breva Ribes.
Crash handling bad XMPP timestamp.
A remote XMPP user can trigger a crash on some systems by sending a
message with a timestamp in the distant future.

-----

CVE-2013-6478, discovered by user on our support at pidgin.im mailing list.
Crash when hovering pointer over a long URL.
libX11 forcefully exits when Pidgin tries to create an exceptionally
wide tooltip window.

-----

CVE-2013-6479, discovered by Jacob Appelbaum of the Tor Project.
Remote crash parsing HTTP responses.
A malicious server or man-in-the-middle could send a malformed HTTP
response that could lead to a crash.

-----

CVE-2013-6481, discovered by Daniel Atallah.
Remote crash reading Yahoo! P2P message.
The Yahoo! protocol plugin failed to validate a length field before
trying to read from a buffer, which could result in reading past the
end of the buffer which could cause a crash.

-----

CVE-2013-6482, discovered by Fabian Yamaguchi and Christian
Wressnegger of the University of Goettingen.
NULL pointer dereference parsing headers in MS.
A malformed Content-Length header could lead to a NULL pointer dereference.

-----

CVE-2013-6482, discovered by Fabian Yamaguchi and Christian
Wressnegger of the University of Goettingen.
NULL pointer dereference parsing OIM data in MSN.
A malicious server or man-in-the-middle could send us a
specially-crafted XML response that results in a NULL pointer
dereference.

-----

CVE-2013-6482, discovered by Fabian Yamaguchi and Christian
Wressnegger of the University of Goettingen.
NULL pointer dereference parsing SOAP data in MSN.
A malicious server or man-in-the-middle could send us a specially
-crafted SOAP response that results in a NULL pointer dereference.

-----

CVE-2013-6483, discovered by Fabian Yamaguchi and Christian
Wressnegger of the University of Goettingen.
XMPP doesn't verify 'from' on some iq replies.
The XMPP protocol plugin failed to ensure that iq replies came from
the person they were sent to. A remote user could send a spoofed iq
reply and attempt to guess the iq id. This could allow an attacker to
inject fake data or trigger a null pointer dereference.

-----

CVE-2013-6484, discovered by Coverity static analysis
Crash reading response from STUN server.
Incorrect error handling when reading the response from a STUN server
could lead to a crash.

-----

CVE-2013-6485, discovered by Matt Jones, Volvent.
Buffer overflow parsing chunked HTTP responses.
A malicious server or man-in-the-middle could cause a buffer over flow
by sending a malformed HTTP response with chunked Transfer-Encoding
with invalid chunk sizes.

-----

CVE-2013-6486, originally discovered by by James Burton, Insomnia
Security. Rediscovered by Yves Younan of Sourcefire VRT.
Pidgin uses clickable links to untrusted executables.
If a user clicks on a file:// URI in a received IM in Windows bui
lds of Pidgin, Pidgin attempts to execute the file. This can be
dangerous if the file:// URI is a pa
th on a network share. This was <a href=\"?id=55\">originally reported
in CVE-2011-3185 in 2011</a> and we attempted to fix it then, but
failed.

-----

CVE-2013-6487, discovered by Yves Younan and Ryan Pentney of Sourcefire VRT
Buffer overflow in Gadu-Gadu HTTP parsing.
A malicious server or man-in-the-middle could send a large value for
Content-Length and cause an integer overflow which could lead to a
buffer overflow.

-----

CVE-2013-6487, discovered by Yves Younan and Pawel Janic of Sourcefire VRT
Buffer overflow in MXit emoticon parsing.
A specially crafted emoticon value could cause an integer overflow
which could lead to a buffer overflow.

-----

CVE-2013-6487, discovered by Yves Younan of Sourcefire VRT
Buffer overflow in SIMPLE header parsing.
A Content-Length of -1 could lead to a buffer overflow.

-----

CVE-2014-0020, discovered by Daniel Atallah
Remotely triggerable crash in IRC argument parsing.
A malicious server or man-in-the-middle could trigger a crash in
libpurple by sending a message with fewer than expected arguments.

-----

*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Tuesday 2013-01-28 at 07:00
PST, 10:00 EST, 15:00 UTC ***