Request for CVEs for Pidgin

Huzaifa Sidhpurwala huzaifas at redhat.com
Tue Oct 14 04:13:18 EDT 2014 

Hi All,

Here are your CVEs

CVE-2014-3694 pidgin: Insufficient SSL certificate validation
CVE-2014-3695 pidgin: Remote crash parsing malformed MXit emoticon
CVE-2014-3696 pidgin: Remote crash parsing malformed Groupwise message.
CVE-2014-3697 pidgin: Malicious smiley themes could alter arbitrary files
CVE-2014-3698 pidgin: Potential information leak from XMPP


Thanks!

On 10/14/2014 12:46 PM, Mark Doliner wrote:
> (+cc the Pidgin security mailing list)
>
> On Tue, Oct 14, 2014 at 12:16 AM, Mark Doliner <mark at kingant.net> wrote:
>> Hi Red Hat security folk. This is Mark, a developer of Pidgin, Finch,
>> and libpurple. We're planning to disclose some security problems next
>> week (specifically Wed, Oct 22) and we're wondering if you could
>> assign a few CVE IDs to us? All problems were reported to us in 2014.
>> As far as we know the problems are not public.
>> Thanks,
>> Mark
>>
>>
>>
>> The issues are as follows (I'm sure you know this, but please don't
>> publicly disclose this information!):
>>
>> -----
>>
>> 1. Insufficient SSL certificate validation. Discovered by an anonymous
>> person and Jacob Appelbaum of the Tor Project.
>> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
>> for NSS) failed to check that the Basic Constraints extension allowed
>> intermediate certificates to act as CAs. This allowed anyone with any
>> valid certificate to create a fake certificate for any arbitrary
>> domain and Pidgin would trust it.
>>
>> -----
>>
>> 2. Remote crash parsing malformed MXit emoticon. Discovered by Yves
>> Younan and Richard Johnson of Sourcefire VRT.
>> A malicious server or man-in-the-middle could trigger a crash in
>> libpurple by sending an emoticon with an overly large length value.
>>
>> -----
>>
>> 3. Remote crash parsing malformed Groupwise message. Discovered by
>> Yves Younan and Richard Johnson of Sourcefire VRT.
>> A malicious server or man-in-the-middle could trigger a crash in
>> libpurple by specifying that a large amount of memory should be
>> allocated in many places in the UI.
>>
>> -----
>>
>> 4. Malicious smiley themes could alter arbitrary files. Discovered by
>> Yves Younan of Sourcefire VRT.
>> A bug in the untar code on Windows could allow a malicious smiley
>> theme to place a file anywhere ont he file system, or alter an
>> existing file when installing a smiley theme via drag and drop on
>> Windows.
>>
>> -----
>>
>> 5. Potential information leak from XMPP. Discovered by Thijs Alkemade
>> and Paul Aurich.
>> A malicious server and possibly even a malicious remote user could
>> create a carefully crafted XMPP message that causes libpurple to send
>> an XMPP message containing arbitrary memory.
>>
>> -----


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

More information about the security mailing list