4 vulnerabilities in libpurple

Richard Johnson rjohnson at sourcefire.com
Thu Oct 2 18:16:41 EDT 2014


Daniel, please give me a firm date or I will move forward with pushing out
the advisory on our normal schedule. I coordinate vulnerabilities we
discover with many vendors and the typical timeline is 45 days maximum.
You've had over 6 months since our original disclosure to you which you
promptly fixed in your internal code tree. Unfortunately, this has pushed
beyond my projected delivery dates on my side so we need to move on this.


Regards,

Richard Johnson
Manager, Vulnerability Development
Cisco Talos (formerly Sourcefire VRT)


On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <rjohnson at sourcefire.com
> > wrote:
>
>> Hello Daniel, we haven't seen any progress on these since April, do you
>> have an ETA for delivery?
>>
>
> Thanks for the reminder.
>
> I'll try to get some wheels turning on a release in the not too distant
> future.
>
> -D
>
>
>>
>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net> wrote:
>>
>>> Hi! I fixed the three remaining issues in our private code repo. We're
>>> still working on a few other issues and we don't yet have an ETA for
>>> release. We'll keep you updated on any progress.
>>>
>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>> <daniel.atallah at gmail.com> wrote:
>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>>> Service
>>> > Vulnerability:
>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>
>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>> like to review it).
>>>
>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>>> Service
>>> > Vulnerabilities:
>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>> that's
>>> > just a copy/paste error.
>>>
>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>> like to review it).
>>>
>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>> > Vulnerability:
>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>
>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>> like to review it). Were you guys actually able to exploit this? I
>>> wasn't able to. I could not drag links from a browser to the smiley
>>> pane of prefs in Windows. I could drag a local file from Windows
>>> Explorer to the smiley window, but of course that's a valid file name.
>>>
>>
>>
>>
>> --
>> Richard Johnson
>> Sourcefire VRT
>>
>
>


-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141002/d56b91ef/attachment.html>


More information about the security mailing list