4 vulnerabilities in libpurple

Rich Johnson (richjoh) richjoh at cisco.com
Mon Feb 17 17:23:19 EST 2014 

Hello, it appears my rjohnson at sourcefire account has not been able to receive email for the past week so I wanted to make sure my Cisco email gets looped in (we’re going through the transition due to acquisition). If I missed anything after the below email, I apologize, please let me know. We did confirm that the two bugs below were fixed in the last update.

Regards,
Richard Johnson



From: Daniel Atallah [mailto:daniel.atallah at gmail.com]
Sent: Sunday, February 09, 2014 2:46 PM
To: Richard Johnson
Cc: Ethan Blanton; Pidgin Security; VRT-vulndev
Subject: Re: 4 vulnerabilities in libpurple


On Fri, Feb 7, 2014 at 8:42 PM, Richard Johnson <rjohnson at sourcefire.com<mailto:rjohnson at sourcefire.com>> wrote:
>
> Hi Ethan,
>
> We have 4 more lower severity vulnerabilities in libpurple to report. Three result in denial of service, and one allows an out-of-bounds write of a NULL value (this is considered potentially remote code execution so we may update the advisory title to reflect that before release, however we do not believe it is a high risk for exploitation attempts).
>
> Since they are lower severity and you just did a new release, I understand that it may take some time for these to get pushed out. I would appreciate an estimate on your next version release date so I can add that to our internal tracking system.


I took a first pass at some of these:

VRT-2014-0201 - Pidgin libpurple MSN Message Parsing NULL Dereference Denial of Service Vulnerability:
This has already been fixed and the fix is included in Pidgin 2.10.8 (CVE-2013-6482).
https://pidgin.im/news/security/?id=75


VRT-2014-0202 - Pidgin libpurple STUN Response Length NULL Write Vulnerability:
This has also been fixed already for Pidgin 2.10.8 (CVE-2013-6484)
https://pidgin.im/news/security/?id=79


VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of Service Vulnerability:
This looks legitimate and still exists in Pidgin 2.10.9

VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of Service Vulnerabilities:
This looks legitimate and still exists in Pidgin 2.10.9.
The title for this one in the file refers to Gadu-Gadu - I assume that's just a copy/paste error.

VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write Vulnerability:
This looks legitimate and still exists in Pidgin 2.10.9

-D


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140217/bdd5c042/attachment.html>

More information about the security mailing list