Pidgin Security Vulnerabilities

Gary Kramlich grim at pidgin.im
Tue Jun 14 00:01:17 EDT 2016


*** The contents of this email are sensitive! Please do not share
publicly until after the embargo date -- Tuesday 2016-06-21 at 17:00
PST, 20:00 EST, 00:00 UTC ***

Greetings Pidgin Packagers!

I regret to inform you that we are disclosing a large number of security
vulnerabilities in pidgin and libpurple.  We will be release 2.11.0 in
just under seven days on Tuesday June 21 at 00:00 UTC.

Sorry for the tight timeline; this is my first security release and it
hasn't gone exactly to plan.  Likewise, if there's anything I could do
better, please let me know.

Also, we still need to request a CVE for the GnuTls issue mentioned below.

Most of the issues are in the MXit protocol plugin which is not widely
used.  Please note that there is one patch for TALOS-CAN-0120,
TALOS-CAN-0138, and TALOS-CAN-0140 as they share code paths and we avoid
some conflicts by using a single patch.

The other issue is in our initialization of GnuTls where we were not
correctly checking return values.

The provided patches [1] were all generated against the 2.11.0 branch
that we will be releasing.  That said, the patches have all been tested
against the 2.10.12 release and apply cleanly aside from their ChangeLog
entries.  I have also provided a single patch that includes all of the
fixes for the vulnerabilities if you find that easier to use.

The final 2.11.0 tarball will be ready later this week as well and I
will reply this thread when it is ready.

[1] https://pidgin.im/~grim/pidgin-2.11.0-GxZgE6wvFUFbpNCCtyDnMkfHVGWZa8/

Please let me know if you have any questions.

Thanks,

Gary Kramlich <grim at reaperworld.com>

-----

CVE-2016-xxxx

x509 certificates may be improperly imported.
Discovered by Yuan Kang and Suman Jana from Columbia University and
Baishakhi Ray from the University of Virginia.
This patch was written by dequis.

-----

TALOS-CAN-0118

Pidgin MXIT read stage 0x3 Code Execution Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0119

Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0120
Pidgin MXIT get_utf8_string Code Execution Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0123
Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0128
Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0133
Pidgin MXIT Markup Command Denial of Service Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0134
Pidgin MXIT Table Command Denial of Service Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0135
Pidgin MXIT Avatar Length Memory Disclosure Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0136
Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0137
Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0138
Pidgin MXIT Custom Resource Denial of Service Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0139
Pidgin MXIT Extended Profiles Code Execution Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0140
Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0141
Pidgin MXIT Contact Mood Denial of Service Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0142
Pidgin MXIT MultiMX Message Code Execution Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

TALOS-CAN-0143
Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability
Reported by Regina Wilson of Cisco Talos and was discovered by Yves
Younan of Cisco Talos.

-----

*** The contents of this email are sensitive! Please do not share
publicly until after the embargo date -- Tuesday 2016-06-21 at 17:00
PST, 20:00 EST, 00:00 UTC ***


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20160613/6c152d06/attachment.sig>


More information about the Packagers mailing list