4 vulnerabilities in libpurple

Thu Oct 9 20:47:51 EDT 2014

On Mon, Oct 6, 2014 at 10:09 AM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

>
> On Thu, Oct 2, 2014 at 6:16 PM, Richard Johnson <rjohnson at sourcefire.com>
> wrote:
>
>> Daniel, please give me a firm date or I will move forward with pushing
>> out the advisory on our normal schedule. I coordinate vulnerabilities we
>> discover with many vendors and the typical timeline is 45 days maximum.
>> You've had over 6 months since our original disclosure to you which you
>> promptly fixed in your internal code tree. Unfortunately, this has pushed
>> beyond my projected delivery dates on my side so we need to move on this.
>>
>
> We'll have a date for you by the end of the week.
>
> Thanks,
> -D
>

We've scheduled the 2.10.10 release for October 22nd.

We will be coordinating getting CVEs for the following:

* VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
Service Vulnerability:
* VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
Service Vulnerabilities:
* VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
Vulnerability:

Thanks again,
Daniel

>>
>> Regards,
>>
>> Richard Johnson
>> Manager, Vulnerability Development
>> Cisco Talos (formerly Sourcefire VRT)
>>
>>
>> On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <daniel.atallah at gmail.com>
>> wrote:
>>
>>> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <
>>> rjohnson at sourcefire.com> wrote:
>>>
>>>> Hello Daniel, we haven't seen any progress on these since April, do you
>>>> have an ETA for delivery?
>>>>
>>>
>>> Thanks for the reminder.
>>>
>>> I'll try to get some wheels turning on a release in the not too distant
>>> future.
>>>
>>> -D
>>>
>>>
>>>>
>>>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net>
>>>> wrote:
>>>>
>>>>> Hi! I fixed the three remaining issues in our private code repo. We're
>>>>> still working on a few other issues and we don't yet have an ETA for
>>>>> release. We'll keep you updated on any progress.
>>>>>
>>>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>>>> <daniel.atallah at gmail.com> wrote:
>>>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>>>>> Service
>>>>> > Vulnerability:
>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>
>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>> like to review it).
>>>>>
>>>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>>>>> Service
>>>>> > Vulnerabilities:
>>>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>>>> that's
>>>>> > just a copy/paste error.
>>>>>
>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>> like to review it).
>>>>>
>>>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>>>> > Vulnerability:
>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>
>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>> like to review it). Were you guys actually able to exploit this? I
>>>>> wasn't able to. I could not drag links from a browser to the smiley
>>>>> pane of prefs in Windows. I could drag a local file from Windows
>>>>> Explorer to the smiley window, but of course that's a valid file name.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Richard Johnson
>>>> Sourcefire VRT
>>>>
>>>
>>>
>>
>>
>> --
>> Richard Johnson
>> Sourcefire VRT
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141009/22b8532d/attachment.html>