4 vulnerabilities in libpurple
Daniel Atallah
daniel.atallah at gmail.com
Thu Oct 2 17:32:11 EDT 2014
On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <rjohnson at sourcefire.com>
wrote:
> Hello Daniel, we haven't seen any progress on these since April, do you
> have an ETA for delivery?
>
Thanks for the reminder.
I'll try to get some wheels turning on a release in the not too distant
future.
-D
>
> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net> wrote:
>
>> Hi! I fixed the three remaining issues in our private code repo. We're
>> still working on a few other issues and we don't yet have an ETA for
>> release. We'll keep you updated on any progress.
>>
>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>> <daniel.atallah at gmail.com> wrote:
>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>> Service
>> > Vulnerability:
>> > This looks legitimate and still exists in Pidgin 2.10.9
>>
>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>> like to review it).
>>
>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>> Service
>> > Vulnerabilities:
>> > This looks legitimate and still exists in Pidgin 2.10.9.
>> > The title for this one in the file refers to Gadu-Gadu - I assume that's
>> > just a copy/paste error.
>>
>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>> like to review it).
>>
>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>> > Vulnerability:
>> > This looks legitimate and still exists in Pidgin 2.10.9
>>
>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>> like to review it). Were you guys actually able to exploit this? I
>> wasn't able to. I could not drag links from a browser to the smiley
>> pane of prefs in Windows. I could drag a local file from Windows
>> Explorer to the smiley window, but of course that's a valid file name.
>>
>
>
>
> --
> Richard Johnson
> Sourcefire VRT
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141002/cd27031e/attachment.html>
More information about the security
mailing list