4 vulnerabilities in libpurple

Richard Johnson rjohnson at sourcefire.com
Fri Feb 7 21:40:35 EST 2014

Hi Ethan, we actually had one more advisory to submit. This is a file
write/overwrite with an absolute path on Windows

On Fri, Feb 7, 2014 at 7:42 PM, Richard Johnson <rjohnson at sourcefire.com>wrote:

> Hi Ethan,
> We have 4 more lower severity vulnerabilities in libpurple to report.
> Three result in denial of service, and one allows an out-of-bounds write of
> a NULL value (this is considered potentially remote code execution so we
> may update the advisory title to reflect that before release, however we do
> not believe it is a high risk for exploitation attempts).
> Since they are lower severity and you just did a new release, I understand
> that it may take some time for these to get pushed out. I would appreciate
> an estimate on your next version release date so I can add that to our
> internal tracking system.
> Regards,
> Richard Johnson
> VULNDEV Team Lead
> Sourcefire VRT

Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/063a6a2f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2014-0205 - Pidgin Theme-Smiley Untar Arbitrary File Write Vulnerability.txt.gpg
Type: application/octet-stream
Size: 2050 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140207/063a6a2f/attachment.obj>

More information about the security mailing list