Request for CVEs for Pidgin

Mark Doliner mark at kingant.net
Fri Feb 8 03:23:19 EST 2013


Hi Red Hat security folk!  This is Mark, a developer of Pidgin, Finch
and libpurple.  We're working on fixing a few security problems.  I
hope to disclose these to our standard packagers mailing list (which
includes you) sometime in the next few days.

I'm wondering if you could assign a few CVE numbers to us?  There are
four distinct issues (described below).  They were either reported to
us privately, or were discovered by one of our developers after
looking at a private static code analysis report.

1. Remote MXit user could specify local file path.  The MXit protocol
plugin saves an image to local disk using a filename that could
potentially be partially specified by the IM server or by a remote
user.  Discovered by Chris Wysopal and Veracode.

2. MXit buffer overflow reading data from network.  The code did not
respect the size of the buffer when parsing HTTP headers, and a
malicious server or man-in-the-middle could send specially crafted
data that could overflow the buffer.  This could lead to a crash or
remote code execution.  Discovered by Daniel Atallah and Coverity.

3. Sametime crash with long user IDs.  libpurple failed to
null-terminate user IDs that were longer than 4096 bytes.  It's
plausible that a malicious server could send one of these to us, which
would lead to a crash.  Discovered by Daniel Atallah and Coverity.

4. Crash when receiving a UPnP response with abnormally long values.
libpurple failed to null-terminate some strings when parsing the
response from a UPnP router.  This could lead to a crash if a
malicious user on your network responds with a specially crafted
message.  Discovered by Daniel Atallah and Coverity.

Thanks!
--Mark


More information about the security mailing list