4 vulnerabilities in libpurple

Daniel Atallah daniel.atallah at gmail.com
Mon Oct 6 10:09:30 EDT 2014


On Thu, Oct 2, 2014 at 6:16 PM, Richard Johnson <rjohnson at sourcefire.com>
wrote:

> Daniel, please give me a firm date or I will move forward with pushing out
> the advisory on our normal schedule. I coordinate vulnerabilities we
> discover with many vendors and the typical timeline is 45 days maximum.
> You've had over 6 months since our original disclosure to you which you
> promptly fixed in your internal code tree. Unfortunately, this has pushed
> beyond my projected delivery dates on my side so we need to move on this.
>

We'll have a date for you by the end of the week.

Thanks,
-D



>
>
> Regards,
>
> Richard Johnson
> Manager, Vulnerability Development
> Cisco Talos (formerly Sourcefire VRT)
>
>
> On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <
>> rjohnson at sourcefire.com> wrote:
>>
>>> Hello Daniel, we haven't seen any progress on these since April, do you
>>> have an ETA for delivery?
>>>
>>
>> Thanks for the reminder.
>>
>> I'll try to get some wheels turning on a release in the not too distant
>> future.
>>
>> -D
>>
>>
>>>
>>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net> wrote:
>>>
>>>> Hi! I fixed the three remaining issues in our private code repo. We're
>>>> still working on a few other issues and we don't yet have an ETA for
>>>> release. We'll keep you updated on any progress.
>>>>
>>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>>> <daniel.atallah at gmail.com> wrote:
>>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>>>> Service
>>>> > Vulnerability:
>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>
>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>> like to review it).
>>>>
>>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>>>> Service
>>>> > Vulnerabilities:
>>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>>> that's
>>>> > just a copy/paste error.
>>>>
>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>> like to review it).
>>>>
>>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>>> > Vulnerability:
>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>
>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>> like to review it). Were you guys actually able to exploit this? I
>>>> wasn't able to. I could not drag links from a browser to the smiley
>>>> pane of prefs in Windows. I could drag a local file from Windows
>>>> Explorer to the smiley window, but of course that's a valid file name.
>>>>
>>>
>>>
>>>
>>> --
>>> Richard Johnson
>>> Sourcefire VRT
>>>
>>
>>
>
>
> --
> Richard Johnson
> Sourcefire VRT
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141006/df162a31/attachment.html>


More information about the security mailing list