Request for CVEs for Pidgin
Mark Doliner
mark at kingant.net
Tue Oct 14 03:16:46 EDT 2014
(+cc the Pidgin security mailing list)
On Tue, Oct 14, 2014 at 12:16 AM, Mark Doliner <mark at kingant.net> wrote:
> Hi Red Hat security folk. This is Mark, a developer of Pidgin, Finch,
> and libpurple. We're planning to disclose some security problems next
> week (specifically Wed, Oct 22) and we're wondering if you could
> assign a few CVE IDs to us? All problems were reported to us in 2014.
> As far as we know the problems are not public.
> Thanks,
> Mark
>
>
>
> The issues are as follows (I'm sure you know this, but please don't
> publicly disclose this information!):
>
> -----
>
> 1. Insufficient SSL certificate validation. Discovered by an anonymous
> person and Jacob Appelbaum of the Tor Project.
> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
> for NSS) failed to check that the Basic Constraints extension allowed
> intermediate certificates to act as CAs. This allowed anyone with any
> valid certificate to create a fake certificate for any arbitrary
> domain and Pidgin would trust it.
>
> -----
>
> 2. Remote crash parsing malformed MXit emoticon. Discovered by Yves
> Younan and Richard Johnson of Sourcefire VRT.
> A malicious server or man-in-the-middle could trigger a crash in
> libpurple by sending an emoticon with an overly large length value.
>
> -----
>
> 3. Remote crash parsing malformed Groupwise message. Discovered by
> Yves Younan and Richard Johnson of Sourcefire VRT.
> A malicious server or man-in-the-middle could trigger a crash in
> libpurple by specifying that a large amount of memory should be
> allocated in many places in the UI.
>
> -----
>
> 4. Malicious smiley themes could alter arbitrary files. Discovered by
> Yves Younan of Sourcefire VRT.
> A bug in the untar code on Windows could allow a malicious smiley
> theme to place a file anywhere ont he file system, or alter an
> existing file when installing a smiley theme via drag and drop on
> Windows.
>
> -----
>
> 5. Potential information leak from XMPP. Discovered by Thijs Alkemade
> and Paul Aurich.
> A malicious server and possibly even a malicious remote user could
> create a carefully crafted XMPP message that causes libpurple to send
> an XMPP message containing arbitrary memory.
>
> -----
More information about the security
mailing list