Items to be aware of - libpurple

Zachary West zacw at adium.im
Fri Oct 23 20:05:26 UTC 2009 

On Fri, Oct 23, 2009 at 15:51, Alan Humpherys <alangh at adium.im> wrote:

> I received this security report today from SecurityMetrics that has some
> interesting things to be aware of in libpurple... (They are marked as
> "Pidgin" issues, but most are protocol level items which may apply to anyone
> using libPurple)
>

Almost all of these are really old… just look at the "affected version"
numbers. 1.3.6/7 have 2.5.8, 1.4.x is 2.6.x, and some of them mention the
fixed Adium versions, too.


> October 23, 2009
> 2009-10-23: Pidgin 'msn_slplink_process_msg()' NULL Pointer Dereference
> Remote Code Execution Vulnerability Attackers can exploit this issue to
> execute arbitrary code in the context of an affected application. Failed
> attacks may cause a denial-of-service condition.
> http://www.securityfocus.com/bid/36071
>
>
Fixed in stable Adium.


> October 23, 2009
> 2009-10-23: Pidgin 'protocols/jabber/auth.c' JABBER Server XMPP
> Specifications Man In The Middle Vulnerability Attackers can exploit this
> issue to sniff instant-messaging sessions and obtain potentially sensitive
> information.
> http://www.securityfocus.com/bid/36368
>

Fixed in 1.4.


>
> October 23, 2009
> 2009-10-23: Pidgin Multiple Buffer Overflow Vulnerabilities Successful
> exploits may allow attackers to execute arbitrary code with the privileges
> of a user running the software or cause denial-of-service conditions.
> http://www.securityfocus.com/bid/35067
>

Fixed in stable Adium.


>
> October 23, 2009
> 2009-10-23: Pidgin OSCAR Protocol Web Message Denial of Service
> Vulnerability Successful exploits will cause the affected application to
> crash, effectively denying service to legitimate users.
> http://www.securityfocus.com/bid/35530
>

Fixed in stable Adium.


>
> October 22, 2009
> T-256: Pidgin OSCAR Plugin Invalid Memory Access Denial Of Service
> Vulnerability Attackers can exploit this issue to cause denial-of-service
> conditions. Given the nature of these issues, attackers may also be able to
> run arbitrary code, but this has not been confirmed. A remote attacker could
> exploit this issue to cause denial-of-service conditions. This risk is
> medium.
> http://www.doecirc.energy.gov/bulletins/t-256.shtml
>

Fixed in stable Adium.

-- 
Zachary West
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20091023/6c63c54b/attachment-0002.html>

More information about the devel mailing list