Add all cve and independent advisories from 2011
Testing Done:
Built locally with `dev-server.sh` and verified contents of advisories added
Bugs closed: NEST-43
Reviewed at https://reviews.imfreedom.org/r/511/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-1091-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,22 @@
+date: 2011-03-10T00:00:00.000Z +cveNumber: cve-2011-1091 +summary: Remote denial of service in Yahoo protocol plugin +discoveredBy: Marius Wachtler +The Yahoo protocol plugin in libpurple versions 2.6.0 through 2.7.10 do not +properly handle malformed YMSG packets, leading to NULL pointer dereferences and +Properly handle malformed packets by ignoring the packet or the missing field. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-2485-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,27 @@
+date: 2011-06-23T00:00:00.000Z +cveNumber: cve-2011-2485 +summary: Remote denial of service from corrupt buddy icons +discoveredBy: Mark Doliner +It was found that the gdk-pixbuf GIF image loader routine +`gdk_pixbuf__gif_image_load()` did not properly handle certain return values +from its subroutines. A remote attacker could provide a specially-crafted GIF +image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially +initialized pixbuf structure. Using this structure, possibly containing a huge +width and height, could lead to the application being terminated due to +Change Pidgin to look at the GError parameter in addition to the return value +when calling certain gdk-pixbuf functions. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-2943-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,24 @@
+date: 2011-08-20T00:00:00.000Z +cveNumber: cve-2011-2943 +summary: Remote crash in IRC protocol plugin +discoveredBy: Djego Ibanez, Lead QA at Gamistry +Certain characters in the nicknames of IRC users can trigger a null pointer +dereference in the IRC protocol plugin's handling of responses to WHO requests. +This can cause a crash on some operating systems. Clients based on libpurple +2.8.0 through 2.9.0 are affected. +Change libpurple to validate the data it receives from the server before --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-3184-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,26 @@
+date: 2011-08-20T00:00:00.000Z +cveNumber: cve-2011-3184 +summary: Remote crash in MSN protocol plugin +discoveredBy: Marius Wachtler +Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause +the application to attempt to access memory that it does not have access to. +This only affects users who have turned on the HTTP connection method for their +accounts (it's off by default). This might only be triggerable by a malicious +server and not a malicious peer. We believe remote code execution is not +Correctly take into account the size of HTTP 100 response when parsing server --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-3185-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,23 @@
+date: 2011-08-20T00:00:00.000Z +cveNumber: cve-2011-3185 +summary: Pidgin uses clickable links to untrusted executables +discoveredBy: James Burton, Insomnia Security +If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, +Pidgin attempts to execute the file. This can be dangerous if the file:// URI is +a path on a network share. +Don't attempt to execute files when the user clicks a file:// URI. Instead, open +a file browser at the file's location. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-3594-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,22 @@
+date: 2011-09-29T00:00:00.000Z +cveNumber: cve-2011-3594 +summary: SILC remote crash +discoveredBy: Diego Bauche Madero from IOActive +When receiving various incoming messages, the SILC protocol plugin failed to +validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would +Validate incoming strings as UTF-8 before using them as such. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-4601-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,23 @@
+date: 2011-10-20T00:00:00.000Z +cveNumber: cve-2011-4601 +summary: AIM and ICQ remote crash +discoveredBy: Evgeny Boger +When receiving various messages related to requesting or receiving authorization +for adding a buddy to a buddy list, the oscar protocol plugin failed to validate +that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a +Validate incoming strings as UTF-8 before using them as such. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-4602-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,22 @@
+date: 2011-12-10T00:00:00.000Z +cveNumber: cve-2011-4602 +summary: XMPP remote crash +discoveredBy: Thijs Alkemade +When receiving various stanzas related to voice and video chat, the XMPP +protocol plugin failed to ensure that the incoming message contained all +required fields, and would crash if certain fields were missing. +Check for missing fields and handle them appropriately. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-4603-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,23 @@
+date: 2011-09-29T00:00:00.000Z +cveNumber: cve-2011-4603 +summary: SILC remote crash +discoveredBy: Diego Bauche Madero from IOActive +When receiving various incoming messages, the SILC protocol plugin failed to +validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would +lead to a crash. This vulnerability is similar to CVE-2011-3594, but occurs in a +different piece of code and was fixed at a later date. +Validate incoming strings as UTF-8 before using them as such. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2011-4939-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,21 @@
+date: 2011-07-08T00:00:00.000Z +cveNumber: cve-2011-4939 +summary: XMPP remote crash +discoveredBy: Clemens Huebner in ticket #14392 and Kevin Stange +Certain types of nickname changes in XMPP chat rooms can trigger a NULL pointer +dereference in Pidgin, which triggers a crash. +Check for NULL before trying to use a struct. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/independent-20110206-00.md Sun Feb 14 19:57:10 2021 -0600
@@ -0,0 +1,22 @@
+title: independent-20110206-00 +date: 2011-02-06T00:00:00.000Z +summary: Cipher API information disclosure +discoveredBy: Julia Lawall +It was discovered that libpurple versions prior to 2.7.10 do not properly clear +certain data structures used in `libpurple/cipher.c` prior to freeing. An +attacker could potentially extract partial information from memory regions freed +Proper structure clearing has been implemented.