Items to be aware of - libpurple

Alan Humpherys alangh at adium.im
Fri Oct 23 19:51:52 UTC 2009 

I received this security report today from SecurityMetrics that has  
some interesting things to be aware of in libpurple... (They are  
marked as "Pidgin" issues, but most are protocol level items which may  
apply to anyone using libPurple)

October 23, 2009
2009-10-23: Pidgin 'msn_slplink_process_msg()' NULL Pointer  
Dereference Remote Code Execution Vulnerability Attackers can exploit  
this issue to execute arbitrary code in the context of an affected  
application. Failed attacks may cause a denial-of-service condition.
http://www.securityfocus.com/bid/36071

October 23, 2009
2009-10-23: Pidgin 'protocols/jabber/auth.c' JABBER Server XMPP  
Specifications Man In The Middle Vulnerability Attackers can exploit  
this issue to sniff instant-messaging sessions and obtain potentially  
sensitive information.
http://www.securityfocus.com/bid/36368

October 23, 2009
2009-10-23: Pidgin Multiple Buffer Overflow Vulnerabilities Successful  
exploits may allow attackers to execute arbitrary code with the  
privileges of a user running the software or cause denial-of-service  
conditions.
http://www.securityfocus.com/bid/35067

October 23, 2009
2009-10-23: Pidgin OSCAR Protocol Web Message Denial of Service  
Vulnerability Successful exploits will cause the affected application  
to crash, effectively denying service to legitimate users.
http://www.securityfocus.com/bid/35530

October 22, 2009
T-256: Pidgin OSCAR Plugin Invalid Memory Access Denial Of Service  
Vulnerability Attackers can exploit this issue to cause denial-of- 
service conditions. Given the nature of these issues, attackers may  
also be able to run arbitrary code, but this has not been confirmed. A  
remote attacker could exploit this issue to cause denial-of-service  
conditions. This risk is medium.
http://www.doecirc.energy.gov/bulletins/t-256.shtml

- Alan
______
Alan Humpherys
Adium Development Team
alangh at adium.im
http://www.adium.im



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20091023/bdeb5262/attachment-0002.html>

More information about the devel mailing list