4 vulnerabilities in libpurple

Thu Oct 9 21:54:34 EDT 2014

Thank you for the update!

On Thu, Oct 9, 2014 at 7:47 PM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

>
> On Mon, Oct 6, 2014 at 10:09 AM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>>
>> On Thu, Oct 2, 2014 at 6:16 PM, Richard Johnson <rjohnson at sourcefire.com>
>> wrote:
>>
>>> Daniel, please give me a firm date or I will move forward with pushing
>>> out the advisory on our normal schedule. I coordinate vulnerabilities we
>>> discover with many vendors and the typical timeline is 45 days maximum.
>>> You've had over 6 months since our original disclosure to you which you
>>> promptly fixed in your internal code tree. Unfortunately, this has pushed
>>> beyond my projected delivery dates on my side so we need to move on this.
>>>
>>
>> We'll have a date for you by the end of the week.
>>
>> Thanks,
>> -D
>>
>
> We've scheduled the 2.10.10 release for October 22nd.
>
> We will be coordinating getting CVEs for the following:
>
> * VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
> Service Vulnerability:
> * VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
> Service Vulnerabilities:
> * VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
> Vulnerability:
>
> Thanks again,
> Daniel
>
>
>
>>>
>>> Regards,
>>>
>>> Richard Johnson
>>> Manager, Vulnerability Development
>>> Cisco Talos (formerly Sourcefire VRT)
>>>
>>>
>>> On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <daniel.atallah at gmail.com
>>> > wrote:
>>>
>>>> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <
>>>> rjohnson at sourcefire.com> wrote:
>>>>
>>>>> Hello Daniel, we haven't seen any progress on these since April, do
>>>>> you have an ETA for delivery?
>>>>>
>>>>
>>>> Thanks for the reminder.
>>>>
>>>> I'll try to get some wheels turning on a release in the not too distant
>>>> future.
>>>>
>>>> -D
>>>>
>>>>
>>>>>
>>>>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net>
>>>>> wrote:
>>>>>
>>>>>> Hi! I fixed the three remaining issues in our private code repo. We're
>>>>>> still working on a few other issues and we don't yet have an ETA for
>>>>>> release. We'll keep you updated on any progress.
>>>>>>
>>>>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>>>>> <daniel.atallah at gmail.com> wrote:
>>>>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>>>>>> Service
>>>>>> > Vulnerability:
>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>
>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>> like to review it).
>>>>>>
>>>>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>>>>>> Service
>>>>>> > Vulnerabilities:
>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>>>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>>>>> that's
>>>>>> > just a copy/paste error.
>>>>>>
>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>> like to review it).
>>>>>>
>>>>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>>>>> > Vulnerability:
>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>
>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>> like to review it). Were you guys actually able to exploit this? I
>>>>>> wasn't able to. I could not drag links from a browser to the smiley
>>>>>> pane of prefs in Windows. I could drag a local file from Windows
>>>>>> Explorer to the smiley window, but of course that's a valid file name.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Richard Johnson
>>>>> Sourcefire VRT
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Richard Johnson
>>> Sourcefire VRT
>>>
>>
>>
>

-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141009/ede52baa/attachment.html>