pidgin/nest

Add all CVE advisories from 2009

7 months ago, Sorvival
91f916eba5fd
Parents 50d9e50b8b86
Children 18e12a873563
Add all CVE advisories from 2009

Testing Done:
Built locally with `dev-server.sh` and verified contents of advisories added

Bugs closed: NEST-43

Reviewed at https://reviews.imfreedom.org/r/513/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-1373-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,21 @@
+---
+title: cve-2009-1373-00
+date: 2009-05-02T00:00:00.000Z
+cveNumber: cve-2009-1373
+summary: XMPP file transfer buffer overflow
+discoveredBy: Veracode
+fixedInRelease: 2.5.6
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The XMPP SOCKS5 bytestream server was not correctly checking the bounds of a
+buffer when initiating an outgoing file transfer.
+
+### Mitigation
+
+The affected function has been patched to fix the vulnerability.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-1374-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-1374-00
+date: 2009-05-03T00:00:00.000Z
+cveNumber: cve-2009-1374
+summary: QQ remote DoS
+discoveredBy: Ka-Hing Cheung
+fixedInRelease: 2.5.6
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+`decrypt_out()` always writes 8 bytes past the supplied buffer, which is always
+allocated on the stack. We don't believe this can cause anything outside of a
+crash.
+
+### Mitigation
+
+`decrypt_out()` is fixed to not write past the end of the buffer.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-1375-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-1375-00
+date: 2009-03-20T00:00:00.000Z
+cveNumber: cve-2009-1375
+summary: Remote DoS in multiple protocols
+discoveredBy: Josef Andrysek
+fixedInRelease: 2.5.6
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+A buffer maintained by `PurpleCircBuffer` may be corrupted if it's exactly full
+and then more bytes are added to it, leading to a crash. This structure is used
+by the XMPP and Sametime protocol plugins.
+
+### Mitigation
+
+PurpleCircBuffer now correctly checks bounds.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-1376-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,23 @@
+---
+title: cve-2009-1376-00
+date: 2009-05-02T00:00:00.000Z
+cveNumber: cve-2009-1376
+summary: MSN malformed SLP message overflow
+discoveredBy: Loc VALBON (via TippingPoint's Zero Day Initiative)
+fixedInRelease: 2.5.6
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The previous fix to [CVE-2008-2927]({{< ref "cve-2008-2927-00" >}}) was deemed
+incomplete. The size check improperly cast an `uint64` to `size_t` which can
+cause an integer overflow, rendering the check useless.
+
+### Mitigation
+
+The proper variable type is now used when doing size comparison. Additionally,
+the malformed message is now properly discarded.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-1889-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,23 @@
+---
+title: cve-2009-1889-00
+date: 2009-05-28T00:00:00.000Z
+cveNumber: cve-2009-1889
+summary: ICQ parser excessive memory allocation
+discoveredBy: Yuriy Kaminskiy
+fixedInRelease: 2.5.8
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The ICQ prpl would misparse an incoming ICQ Web Message as an SMS message in
+certain circumstances, leading to an excessively large allocation.
+
+### Mitigation
+
+Yuriy's patch corrected the misparsing of such ICQ web messages so they are no
+longer treated as SMS messages and added validation to avoid unnecessary memory
+allocations.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-2694-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,24 @@
+---
+title: cve-2009-2694-00
+date: 2009-08-18T00:00:00.000Z
+cveNumber: cve-2009-2694
+summary: MSN overflow parsing SLP messages
+discoveredBy: Core Security Technologies
+fixedInRelease: 2.5.9
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+By sending two consecutive specially crafted SLP messages it is possible to
+trigger an memcpy to an invalid location in memory. This affects all versions of
+libpurple and Gaim released in the past few years.
+
+### Mitigation
+
+Correctly destroy outgoing SLP ACK messages after they are sent, and ensure a
+buffer has been allocated within the SLP data structure before attempting to
+write to it.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-2703-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,21 @@
+---
+title: cve-2009-2703-00
+date: 2009-09-03T00:00:00.000Z
+cveNumber: cve-2009-2703
+summary: IRC crash from malicious server
+discoveredBy: Cristofaro Mune
+fixedInRelease: 2.6.2
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+A specially crafted IRC TOPIC message can trigger a NULL pointer dereference in
+the IRC protocol plugin's code for handling IRC topics.
+
+### Mitigation
+
+Correctly ignore invalid TOPIC messages sent from the server.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3025-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-3025-00
+date: 2009-08-22T00:00:00.000Z
+cveNumber: cve-2009-3025
+summary: Yahoo IM parsing crash
+discoveredBy: adk
+fixedInRelease: 2.6.1
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+Possibly depending on the architecture and/or flags used to compile libpurple,
+the Yahoo protocol plugin may crash when receiving an IM from any user which
+contains a URL. The only vulnerable version of libpurple is 2.6.0.
+
+### Mitigation
+
+Correctly parse URLs in incoming Yahoo messages.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3026-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,23 @@
+---
+title: cve-2009-3026-00
+date: 2009-09-03T00:00:00.000Z
+cveNumber: cve-2009-3026
+summary: XMPP may not enforce TLS
+discoveredBy: bugdave in ticket #8131 and Paul Aurich
+fixedInRelease: 2.6.0
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The XMPP protocol plugin can be tricked into establishing an insecure connection
+by a malicious man in the middle by causing libpurple to use the older IQ-based
+login and then not offering TLS/SSL. The "require TLS/SSL" option was introduced
+in 2.2.0.
+
+### Mitigation
+
+Respect the "require TLS/SSL" preference for this type of connection.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3083-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-3083-00
+date: 2009-09-03T00:00:00.000Z
+cveNumber: cve-2009-3083
+summary: MSN partial SLP invite crash
+discoveredBy: blackstar in ticket #10159 and Elliott Sales de Andrade
+fixedInRelease: 2.6.2
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The MSN protocol plugin extracts some fields from an incoming SLP invite. If
+some of these fields do not exist in the invite message then the protocol plugin
+will attempt to dereference a NULL pointer and will crash.
+
+### Mitigation
+
+Check for NULL values and handle appropriately.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3084-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,23 @@
+---
+title: cve-2009-3084-00
+date: 2009-09-03T00:00:00.000Z
+cveNumber: cve-2009-3084
+summary: MSN handwritten message crash
+discoveredBy: aly89 in ticket #10048 and Elliott Sales de Andrade
+fixedInRelease: 2.6.2
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The MSN protocol plugin used an incorrect character encoding when attempting to
+convert handwritten messages from one encoding to another. This caused the
+conversion to fail. This failure combined with an uninitialized variable can
+trigger a crash. The only vulnerable versions of libpurple are 2.6.0 and 2.6.1.
+
+### Mitigation
+
+Use the correct character set name and initialize error to NULL.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3085-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-3085-00
+date: 2009-09-03T00:00:00.000Z
+cveNumber: cve-2009-3085
+summary: XMPP custom smiley parsing bug
+discoveredBy: Florob, Waqas, Paul Aurich and Marcus Lundblad
+fixedInRelease: 2.6.2
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The XMPP protocol plugin can crash when attempting to process an error response
+as a custom smiley. libpurple 2.5.2 through 2.6.1 are vulnerable. Older versions
+may be vulnerable as well.
+
+### Mitigation
+
+Handle error iq responses appropriately.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2009-3615-00.md Sun Feb 14 20:02:01 2021 -0600
@@ -0,0 +1,22 @@
+---
+title: cve-2009-3615-00
+date: 2009-10-16T00:00:00.000Z
+cveNumber: cve-2009-3615
+summary: ICQ and maybe AIM remote crash
+discoveredBy: nightwing666 in ticket #10481
+fixedInRelease: 2.6.3
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+A specially crafted message can trigger an incorrect memory access in the oscar
+protocol plugin which can lead to a crash. This happens when the SIM IM client
+attempts to send contacts to a libpurple user.
+
+### Mitigation
+
+Check for the correct number of fields before attempting to dereference memory.
+