4 vulnerabilities in libpurple

Richard Johnson rjohnson at sourcefire.com
Fri Feb 7 20:42:33 EST 2014 

Hi Ethan,

We have 4 more lower severity vulnerabilities in libpurple to report. Three
result in denial of service, and one allows an out-of-bounds write of a
NULL value (this is considered potentially remote code execution so we may
update the advisory title to reflect that before release, however we do not
believe it is a high risk for exploitation attempts).

Since they are lower severity and you just did a new release, I understand
that it may take some time for these to get pushed out. I would appreciate
an estimate on your next version release date so I can add that to our
internal tracking system.


Regards,

Richard Johnson
VULNDEV Team Lead
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/db439fc4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2014-0201 - Pidgin libpurple MSN Message Parsing NULL Dereference Denial of Service Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1689 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/db439fc4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2014-0202 - Pidgin libpurple STUN Response Length NULL Write Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1582 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/db439fc4/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of Service Vulnerability.txt.gpg
Type: application/octet-stream
Size: 2199 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/db439fc4/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2014-0204 - Pidgin libpurple Novell Protocol Multiple Denial of Service Vulnerabilities.txt.gpg
Type: application/octet-stream
Size: 1775 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/db439fc4/attachment-0003.obj>

More information about the security mailing list