Add all cve advisories from 2010
Testing Done:
Built locally with `dev-server.sh` and verified contents of advisories added
Bugs closed: NEST-43
Reviewed at https://reviews.imfreedom.org/r/512/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-0013-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,22 @@
+date: 2010-01-08T00:00:00.000Z +cveNumber: cve-2010-0013 +summary: MSN file download vulnerability +discoveredBy: Fabian Yamaguchi +The MSN protocol plugin extracts the filename of a custom emoticon from an +incoming request and uploads that file without correlating the filename to a +Validate the custom emoticon requested is valid before uploading its file data. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-0277-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,21 @@
+date: 2010-02-18T00:00:00.000Z +cveNumber: cve-2010-0277 +summary: MSN malformed SLP message crash +discoveredBy: Fabian Yamaguchi +Certain malformed SLP messages can trigger a crash because the MSN protocol +plugin fails to check that all pieces of the message are set correctly. +Validate input before attempting to handle the message. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-0420-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,23 @@
+date: 2010-02-18T00:00:00.000Z +cveNumber: cve-2010-0420 +summary: Finch XMPP MUC crash +discoveredBy: Sadrul Habib Chowdhury +If a user in a multi-user chat room has a nickname containing '<br>' then +libpurple ends up having two users with username ' ' in the room, and Finch +crashes in this situation. We do not believe there is a possibility of remote +Correctly parse '<br>' so that it appears literally rather than as ' '. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-0423-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,22 @@
+date: 2010-02-18T00:00:00.000Z +cveNumber: cve-2010-0423 +summary: Smiley denial of service +discoveredBy: Antti Hayrynen +oCERT notified us about a problem in Pidgin, where a large amount of processing +time will be used when inserting many smileys into an IM or chat window. This +should not cause a crash, but Pidgin can become unusably slow. +A limit was added for the maximum number of smileys allowed in a conversation. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-1624-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,25 @@
+date: 2010-05-12T00:00:00.000Z +cveNumber: cve-2010-1624 +summary: MSN emoticon denial of service +discoveredBy: Pierre Noguès of Meta Security +A vulnerability was discovered in libpurple's MSN protocol plugin that can cause +a denial of service (crash) due to insufficient validation of certain SLP +packets related to custom emoticons. An attacker could use this vulnerability to +remotely crash a client using libpurple for MSN. It is not possible for this +vulnerability to be exploited for code execution. As a workaround, disabling +custom emoticons on MSN accounts will prevent the vulnerability. +Validation has been added to the MSN plugin to prevent the crash. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-2528-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,21 @@
+date: 2010-07-21T00:00:00.000Z +cveNumber: cve-2010-2528 +summary: ICQ X-Status denial of service +discoveredBy: Mark Doliner +Certain incorrectly formed X-Status messages can cause libpurple to attempt to +dereference a NULL pointer, which triggers a crash. +Improve the parsing of the X-Status message to be more robust. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-3711-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,25 @@
+date: 2010-10-20T00:00:00.000Z +cveNumber: cve-2010-3711 +summary: Multiple remotely-triggered denials of service +discoveredBy: Daniel Atallah +It has been discovered that eight denial of service conditions exist in +libpurple all due to insufficient validation of the return value from +`purple_base64_decode()`. Invalid or malformed data received in place of a valid +base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP +protocol plugins and the NTLM authentication support trigger a crash. These +vulnerabilities can be leveraged by a remote user for denial of service. +Check the return value from `purple_base64_decode()` before trying to use it. --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2010-4528-00.md Sat Feb 13 20:12:24 2021 -0600
@@ -0,0 +1,23 @@
+date: 2010-12-26T00:00:00.000Z +cveNumber: cve-2010-4528 +summary: MSN direct connection denial of service +discoveredBy: Stu Tomlinson +It was discovered that libpurple 2.7.6 through 2.7.8 did not properly handle +"short" packets in MSN direct connection sessions, leading to a crash due to a +NULL pointer dereference. Malicious clients or users can exploit this to cause a +denial of service (crash).