[Pidgin] #15286: Master bug for old libraries in Windows Pidgin build

Pidgin trac at pidgin.im
Sat Aug 25 23:16:38 EDT 2012 

#15286: Master bug for old libraries in Windows Pidgin build
----------------------+-----------------------------------------------------
 Reporter:  ioerror   |        Owner:  datallah       
     Type:  defect    |       Status:  new            
Milestone:            |    Component:  winpidgin (gtk)
  Version:  2.10.6    |   Resolution:                 
 Keywords:  security  |  
----------------------+-----------------------------------------------------

Comment(by ioerror):

 Ok - so grouping by CVE/known vulns this time.

 Everything related to GTK is covered in #14571, #15281 and perhaps #15282

 libnss (#15284) appears vulnerable it is responsible (
 http://developer.pidgin.im/static/win32/nss-3.12.5-nspr-4.8.2.tar.gz ) for
 these dlls:
 {{{
 freebl3.dll
 libnspr4.dll
 libplc4.dll
 libplds4.dll
 nss3.dll
 nssckbi.dll
 nssdbm3.dll
 nssutil3.dll
 smime3.dll
 softokn3.dll
 sqlite3.dll
 ssl3.dll
 }}}

 CMU Cyrus SASL library is likely remotely exploitable (CVE-2009-0688):
 {{{
 libsasl.dll
 }}}

 The Unofficial Lotus Sametime Community Client Library aka libmeanwhile is
 provided by meanwhile-1.0.2_daa2 (
 http://developer.pidgin.im/static/win32/meanwhile-1.0.2_daa2-win32.zip )
 and it appears to not have any outstanding CVEs. I did however find a
 debian bug from 2011 ( http://bugs.debian.org/cgi-
 bin/bugreport.cgi?bug=652156 ) that indicates that the build from
 2008-12-09 also has issues:
 {{{
 libmeanwhile-1.dll
 }}}

 libsilc is vulnerable (CVE-2009-3163 and CVE-2008-7160):
 {{{
 libsilc-1-1-2.dll
 libsilcclient-1-1-2.dll
 }}}

 libxml2 is seemingly vulnerable to a bunch of CVEs:
 {{{
 libxml2-2.dll
 }}}

 exchndl.dll appears to be the Crash Reporting Library (
 http://developer.pidgin.im/static/win32/pidgin-inst-deps-20100315.tar.gz).
 I think the source for that dll is from
 http://pidgin.im/~datallah/exchndl.c - is that the code for the exception
 handler/Crash Reporter? If so, is it actually free software? Either way -
 according to the author of MSJExceptionHandler, it was replaced by
 WheatyExceptionReport ( http://www.wheaty.net/Columns.htm ) in 2002 (
 http://bwmangos.googlecode.com/svn/trunk/src/shared/WheatyExceptionReport.cpp
 ). Furthermore, it appears that it is pretty unsafe in general:
 {{{
 exchndl.dll
 }}}


 The following are Pidgin/libpurple code (including '''plugins/*''') and
 not thought to be covered by any CVEs - though I guess I'll wait for
 explicit confirmation from the pidgin team, as they're the authority on
 these dlls:
 {{{
 libjabber.dll
 liboscar.dll
 libpurple.dll
 libymsg.dll
 pidgin.dll
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15286#comment:4>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list