Request for CVEs for Pidgin

Daniel Atallah datallah at pidgin.im
Tue Oct 14 12:39:24 EDT 2014


On Tue, Oct 14, 2014 at 4:13 AM, Huzaifa Sidhpurwala <huzaifas at redhat.com>
wrote:

> Hi All,
>
> Here are your CVEs
>
> CVE-2014-3694 pidgin: Insufficient SSL certificate validation
> CVE-2014-3695 pidgin: Remote crash parsing malformed MXit emoticon
> CVE-2014-3696 pidgin: Remote crash parsing malformed Groupwise message.
> CVE-2014-3697 pidgin: Malicious smiley themes could alter arbitrary files
> CVE-2014-3698 pidgin: Potential information leak from XMPP
>

I'm not sure how feasible it is to change the credits for some of these at
this point, but we've had a request from the folks who discovered
CVE-2014-3695, CVE-2014-3696, CVE-2014-3697 that references to "Sourcefire
VRT" be updated to "Cisco Talos" due to the acquisition by Cisco and recent
renaming of the VRT team.

Thanks,
-Daniel



>
> Thanks!
>
>
> On 10/14/2014 12:46 PM, Mark Doliner wrote:
>
>> (+cc the Pidgin security mailing list)
>>
>> On Tue, Oct 14, 2014 at 12:16 AM, Mark Doliner <mark at kingant.net> wrote:
>>
>>> Hi Red Hat security folk. This is Mark, a developer of Pidgin, Finch,
>>> and libpurple. We're planning to disclose some security problems next
>>> week (specifically Wed, Oct 22) and we're wondering if you could
>>> assign a few CVE IDs to us? All problems were reported to us in 2014.
>>> As far as we know the problems are not public.
>>> Thanks,
>>> Mark
>>>
>>>
>>>
>>> The issues are as follows (I'm sure you know this, but please don't
>>> publicly disclose this information!):
>>>
>>> -----
>>>
>>> 1. Insufficient SSL certificate validation. Discovered by an anonymous
>>> person and Jacob Appelbaum of the Tor Project.
>>> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
>>> for NSS) failed to check that the Basic Constraints extension allowed
>>> intermediate certificates to act as CAs. This allowed anyone with any
>>> valid certificate to create a fake certificate for any arbitrary
>>> domain and Pidgin would trust it.
>>>
>>> -----
>>>
>>> 2. Remote crash parsing malformed MXit emoticon. Discovered by Yves
>>> Younan and Richard Johnson of Sourcefire VRT.
>>> A malicious server or man-in-the-middle could trigger a crash in
>>> libpurple by sending an emoticon with an overly large length value.
>>>
>>> -----
>>>
>>> 3. Remote crash parsing malformed Groupwise message. Discovered by
>>> Yves Younan and Richard Johnson of Sourcefire VRT.
>>> A malicious server or man-in-the-middle could trigger a crash in
>>> libpurple by specifying that a large amount of memory should be
>>> allocated in many places in the UI.
>>>
>>> -----
>>>
>>> 4. Malicious smiley themes could alter arbitrary files. Discovered by
>>> Yves Younan of Sourcefire VRT.
>>> A bug in the untar code on Windows could allow a malicious smiley
>>> theme to place a file anywhere ont he file system, or alter an
>>> existing file when installing a smiley theme via drag and drop on
>>> Windows.
>>>
>>> -----
>>>
>>> 5. Potential information leak from XMPP. Discovered by Thijs Alkemade
>>> and Paul Aurich.
>>> A malicious server and possibly even a malicious remote user could
>>> create a carefully crafted XMPP message that causes libpurple to send
>>> an XMPP message containing arbitrary memory.
>>>
>>> -----
>>>
>>
>
> --
> Huzaifa Sidhpurwala / Red Hat Product Security Team
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141014/f0021f8a/attachment.html>


More information about the security mailing list