4 vulnerabilities in libpurple

Tue Oct 14 08:58:07 EDT 2014

Hi Daniel, I wanted to mention that we'd like to modify the way we do our
credit byline since our acquisition by Cisco. In place of Sourcefire VRT,
we are now 'Cisco Talos' so if the credit was:
Discovered by Yves Younan of Sourcefire VRT

we would like it to read:
Discovered by Yves Younan of Cisco Talos

Thanks!

On Fri, Oct 10, 2014 at 9:54 AM, Richard Johnson <rjohnson at sourcefire.com>
wrote:

> Thank you for the update!
>
> On Thu, Oct 9, 2014 at 7:47 PM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>>
>> On Mon, Oct 6, 2014 at 10:09 AM, Daniel Atallah <daniel.atallah at gmail.com
>> > wrote:
>>
>>>
>>> On Thu, Oct 2, 2014 at 6:16 PM, Richard Johnson <rjohnson at sourcefire.com
>>> > wrote:
>>>
>>>> Daniel, please give me a firm date or I will move forward with pushing
>>>> out the advisory on our normal schedule. I coordinate vulnerabilities we
>>>> discover with many vendors and the typical timeline is 45 days maximum.
>>>> You've had over 6 months since our original disclosure to you which you
>>>> promptly fixed in your internal code tree. Unfortunately, this has pushed
>>>> beyond my projected delivery dates on my side so we need to move on this.
>>>>
>>>
>>> We'll have a date for you by the end of the week.
>>>
>>> Thanks,
>>> -D
>>>
>>
>> We've scheduled the 2.10.10 release for October 22nd.
>>
>> We will be coordinating getting CVEs for the following:
>>
>> * VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>> Service Vulnerability:
>> * VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>> Service Vulnerabilities:
>> * VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>> Vulnerability:
>>
>> Thanks again,
>> Daniel
>>
>>
>>
>>>>
>>>> Regards,
>>>>
>>>> Richard Johnson
>>>> Manager, Vulnerability Development
>>>> Cisco Talos (formerly Sourcefire VRT)
>>>>
>>>>
>>>> On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <
>>>> daniel.atallah at gmail.com> wrote:
>>>>
>>>>> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <
>>>>> rjohnson at sourcefire.com> wrote:
>>>>>
>>>>>> Hello Daniel, we haven't seen any progress on these since April, do
>>>>>> you have an ETA for delivery?
>>>>>>
>>>>>
>>>>> Thanks for the reminder.
>>>>>
>>>>> I'll try to get some wheels turning on a release in the not too
>>>>> distant future.
>>>>>
>>>>> -D
>>>>>
>>>>>
>>>>>>
>>>>>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi! I fixed the three remaining issues in our private code repo.
>>>>>>> We're
>>>>>>> still working on a few other issues and we don't yet have an ETA for
>>>>>>> release. We'll keep you updated on any progress.
>>>>>>>
>>>>>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>>>>>> <daniel.atallah at gmail.com> wrote:
>>>>>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial
>>>>>>> of Service
>>>>>>> > Vulnerability:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it).
>>>>>>>
>>>>>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial
>>>>>>> of Service
>>>>>>> > Vulnerabilities:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>>>>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>>>>>> that's
>>>>>>> > just a copy/paste error.
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it).
>>>>>>>
>>>>>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>>>>>> > Vulnerability:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it). Were you guys actually able to exploit this? I
>>>>>>> wasn't able to. I could not drag links from a browser to the smiley
>>>>>>> pane of prefs in Windows. I could drag a local file from Windows
>>>>>>> Explorer to the smiley window, but of course that's a valid file
>>>>>>> name.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Richard Johnson
>>>>>> Sourcefire VRT
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Richard Johnson
>>>> Sourcefire VRT
>>>>
>>>
>>>
>>
>
>
> --
> Richard Johnson
> Sourcefire VRT
>

-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141014/82eeff59/attachment.html>