4 vulnerabilities in libpurple

Daniel Atallah daniel.atallah at gmail.com
Tue Oct 14 12:42:29 EDT 2014 

On Tue, Oct 14, 2014 at 8:58 AM, Richard Johnson <rjohnson at sourcefire.com>
wrote:

> Hi Daniel, I wanted to mention that we'd like to modify the way we do our
> credit byline since our acquisition by Cisco. In place of Sourcefire VRT,
> we are now 'Cisco Talos' so if the credit was:
> Discovered by Yves Younan of Sourcefire VRT
>
> we would like it to read:
> Discovered by Yves Younan of Cisco Talos
>
> Thanks!
>
>
The CVEs for these have already been issued:
CVE-2014-3695 pidgin: Remote crash parsing malformed MXit emoticon
CVE-2014-3696 pidgin: Remote crash parsing malformed Groupwise message.
CVE-2014-3697 pidgin: Malicious smiley themes could alter arbitrary files

I've asked our contact to get these updated, but I don't know how feasible
that is.
We'll make sure to get our Changelog and website to reflect these changes.

-D


On Fri, Oct 10, 2014 at 9:54 AM, Richard Johnson <rjohnson at sourcefire.com>
wrote:

> Thank you for the update!
>
> On Thu, Oct 9, 2014 at 7:47 PM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>>
>> On Mon, Oct 6, 2014 at 10:09 AM, Daniel Atallah <daniel.atallah at gmail.com
>> > wrote:
>>
>>>
>>> On Thu, Oct 2, 2014 at 6:16 PM, Richard Johnson <rjohnson at sourcefire.com
>>> > wrote:
>>>
>>>> Daniel, please give me a firm date or I will move forward with pushing
>>>> out the advisory on our normal schedule. I coordinate vulnerabilities we
>>>> discover with many vendors and the typical timeline is 45 days maximum.
>>>> You've had over 6 months since our original disclosure to you which you
>>>> promptly fixed in your internal code tree. Unfortunately, this has pushed
>>>> beyond my projected delivery dates on my side so we need to move on this.
>>>>
>>>
>>> We'll have a date for you by the end of the week.
>>>
>>> Thanks,
>>> -D
>>>
>>
>> We've scheduled the 2.10.10 release for October 22nd.
>>
>> We will be coordinating getting CVEs for the following:
>>
>> * VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
>> Service Vulnerability:
>> * VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
>> Service Vulnerabilities:
>> * VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>> Vulnerability:
>>
>> Thanks again,
>> Daniel
>>
>>
>>
>>>>
>>>> Regards,
>>>>
>>>> Richard Johnson
>>>> Manager, Vulnerability Development
>>>> Cisco Talos (formerly Sourcefire VRT)
>>>>
>>>>
>>>> On Thu, Oct 2, 2014 at 4:32 PM, Daniel Atallah <
>>>> daniel.atallah at gmail.com> wrote:
>>>>
>>>>> On Mon, Sep 29, 2014 at 10:03 PM, Richard Johnson <
>>>>> rjohnson at sourcefire.com> wrote:
>>>>>
>>>>>> Hello Daniel, we haven't seen any progress on these since April, do
>>>>>> you have an ETA for delivery?
>>>>>>
>>>>>
>>>>> Thanks for the reminder.
>>>>>
>>>>> I'll try to get some wheels turning on a release in the not too
>>>>> distant future.
>>>>>
>>>>> -D
>>>>>
>>>>>
>>>>>>
>>>>>> On Sun, Apr 13, 2014 at 12:20 AM, Mark Doliner <mark at kingant.net>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi! I fixed the three remaining issues in our private code repo.
>>>>>>> We're
>>>>>>> still working on a few other issues and we don't yet have an ETA for
>>>>>>> release. We'll keep you updated on any progress.
>>>>>>>
>>>>>>> On Sun, Feb 9, 2014 at 12:45 PM, Daniel Atallah
>>>>>>> <daniel.atallah at gmail.com> wrote:
>>>>>>> > VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial
>>>>>>> of Service
>>>>>>> > Vulnerability:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it).
>>>>>>>
>>>>>>> > VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial
>>>>>>> of Service
>>>>>>> > Vulnerabilities:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9.
>>>>>>> > The title for this one in the file refers to Gadu-Gadu - I assume
>>>>>>> that's
>>>>>>> > just a copy/paste error.
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it).
>>>>>>>
>>>>>>> > VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
>>>>>>> > Vulnerability:
>>>>>>> > This looks legitimate and still exists in Pidgin 2.10.9
>>>>>>>
>>>>>>> I fixed this in our private 2.x.y repo (patch attached in case you'd
>>>>>>> like to review it). Were you guys actually able to exploit this? I
>>>>>>> wasn't able to. I could not drag links from a browser to the smiley
>>>>>>> pane of prefs in Windows. I could drag a local file from Windows
>>>>>>> Explorer to the smiley window, but of course that's a valid file
>>>>>>> name.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Richard Johnson
>>>>>> Sourcefire VRT
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Richard Johnson
>>>> Sourcefire VRT
>>>>
>>>
>>>
>>
>
>
> --
> Richard Johnson
> Sourcefire VRT
>



-- 
Richard Johnson
Sourcefire VRT

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141014/cf9a7d33/attachment.html>

More information about the security mailing list