Request for CVEs for Pidgin

Jan Lieskovsky jlieskov at redhat.com
Fri Feb 8 08:24:24 EST 2013 

Hello Mark,

  thank you for contacting us and for your request.

----- Original Message -----
> Hi Red Hat security folk!  This is Mark, a developer of Pidgin, Finch
> and libpurple.  We're working on fixing a few security problems.  I
> hope to disclose these to our standard packagers mailing list (which
> includes you) sometime in the next few days.
> 
> I'm wondering if you could assign a few CVE numbers to us?  There are
> four distinct issues (described below).

See below.

> They were either reported to us privately, or were discovered by one of
> our developers after looking at a private static code analysis report.
> 
> 1. Remote MXit user could specify local file path.  The MXit protocol
> plugin saves an image to local disk using a filename that could
> potentially be partially specified by the IM server or by a remote
> user.  Discovered by Chris Wysopal and Veracode.

Please use CVE-2013-0271 for this issue 
(pidgin: local file path specification via MXit protocol plug-in)

> 2. MXit buffer overflow reading data from network.  The code did not
> respect the size of the buffer when parsing HTTP headers, and a
> malicious server or man-in-the-middle could send specially crafted
> data that could overflow the buffer.  This could lead to a crash or
> remote code execution.  Discovered by Daniel Atallah and Coverity.

Please use CVE-2013-0272 for this issue
(CVE-2013-0272 pidgin: MXit buffer overflow when parsing HTTP headers).

> 3. Sametime crash with long user IDs.  libpurple failed to
> null-terminate user IDs that were longer than 4096 bytes.  It's
> plausible that a malicious server could send one of these to us, which
> would lead to a crash.  Discovered by Daniel Atallah and Coverity.

Please use CVE-2013-0273 identifier for this
(CVE-2013-0273 pidgin: Sametime plug-in crash via long user IDs)

> 4. Crash when receiving a UPnP response with abnormally long values.
> libpurple failed to null-terminate some strings when parsing the
> response from a UPnP router.  This could lead to a crash if a
> malicious user on your network responds with a specially crafted
> message.  Discovered by Daniel Atallah and Coverity.

Please use CVE-2013-0274 for this one
(CVE-2013-0274 pidgin: crash when receiving UPnP response
with abnormally long values)

Fwiw regarding proposed patches, will you post it here once they are
available? Any ETA when it is possible to expect them?

Also, regarding reproducers - do you possibly have further information,
how these could be reproduced? 

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> Thanks!
> --Mark

More information about the security mailing list