4 vulnerabilities in libpurple

Daniel Atallah daniel.atallah at gmail.com
Sun Feb 9 15:45:44 EST 2014

On Fri, Feb 7, 2014 at 8:42 PM, Richard Johnson <rjohnson at sourcefire.com>
> Hi Ethan,
> We have 4 more lower severity vulnerabilities in libpurple to report.
Three result in denial of service, and one allows an out-of-bounds write of
a NULL value (this is considered potentially remote code execution so we
may update the advisory title to reflect that before release, however we do
not believe it is a high risk for exploitation attempts).
> Since they are lower severity and you just did a new release, I
understand that it may take some time for these to get pushed out. I would
appreciate an estimate on your next version release date so I can add that
to our internal tracking system.

I took a first pass at some of these:

VRT-2014-0201 - Pidgin libpurple MSN Message Parsing NULL Dereference
Denial of Service Vulnerability:
This has already been fixed and the fix is included in Pidgin 2.10.8

VRT-2014-0202 - Pidgin libpurple STUN Response Length NULL Write
This has also been fixed already for Pidgin 2.10.8 (CVE-2013-6484)

VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of Service
This looks legitimate and still exists in Pidgin 2.10.9

VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of Service
This looks legitimate and still exists in Pidgin 2.10.9.
The title for this one in the file refers to Gadu-Gadu - I assume that's
just a copy/paste error.

VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
This looks legitimate and still exists in Pidgin 2.10.9

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140209/1170320f/attachment.html>

More information about the security mailing list