Mercurial > pidgin > old.pidgin.im / file revision
htdocs/news/security/index.php@96658ad8ea6a
htdocs/news/security/index.php
Mon, 08 Jun 2015 20:56:55 -0400
- author
- Richard Laager <rlaager@pidgin.im>
- date
- Mon, 08 Jun 2015 20:56:55 -0400
- changeset 562
- 96658ad8ea6a
- parent 556
- 4e64a2260176
- child 569
- 5b158bc532a7
- permissions
- -rw-r--r--
Eliminate the Ubuntu-PPA download option
<?php // Update these to match the current page. $page['title'] = "Pidgin Security Advisories"; $page['section'] = "News"; $page['subsect'] = "Security Advisories"; $page['description'] = "Security advisories for libpurple-based chat clients."; include($_SERVER['DOCUMENT_ROOT'] . "/../inc/header.inc"); include($_SERVER['DOCUMENT_ROOT'] . "/../inc/version.inc"); ?> <div id="content"> <?php include($_SERVER['DOCUMENT_ROOT'] . "/../inc/section.news.inc"); ?> <div class="box_right"> <div id="main"> <?php $max_per_page = 50; $vulnerabilities = array( array( "title" => "MSN strncpy buffer overflow", "date" => "2004-08-22", "cve" => "CVE-2004-0500", "summary" => "Possible for a remote MSN user to cause a buffer overflow.", "description" => "In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit.", "fix" => "Bounds checking was added in both places.", "fixedversion" => "0.82", "discoveredby" => "Sebastian Krahmer, SUSE Security Team" ), array( "title" => "Smiley theme installation lack of escaping", "date" => "2004-08-22", "cve" => "CVE-2004-0784", "summary" => "Dragging a carefully crafted smiley theme filename onto Gaim could cause arbitrary command execution.", "description" => "To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector.", "fix" => "Filenames are now escaped using g_shell_quote().", "fixedversion" => "0.82", "discoveredby" => "A Gaim Crazy Patch Writer" ), array( "title" => "Groupware message receive integer overflow", "date" => "2004-08-26", "cve" => "CVE-2004-0754", "summary" => "Carefully crafted messages could cause a buffer overflow.", "description" => "Integer overflow in memory allocation results in heap overflow. By passing the size variable as ~0, integer overflows to 0 when 1 is added in g_alloc(). a malloc(0) call results in 16 bytes of memory being allocated on IA- 32. Then we can overflow the heap when nm_read_all() is called next step. usually cases like this suck for exploitation, because the len (~0) is so large that a following call to memcpy() or strcpy() will just run into kernel mem or unmapped address and fault. however in this case we read the data from the network via a read() call, so we can just stop sending data and close the connection to short out before ~0 bytes are read. however, this is triggered by input from the server, not directly from a client. someone running a malicious groupware server could leverage this to run arbitrary code on the client.", "fix" => "Bounds checking was added.", "fixedversion" => "0.82", "discoveredby" => "Sean (\"infamous42md\")" ), array( "title" => "URL decode buffer overflow", "date" => "2004-08-26", "cve" => "CVE-2004-0785", "summary" => "Receiving exceedingly long URLs can cause a buffer overflow.", "description" => "Buffer overflow. The URL is decoded into a static buffer of length 2048 bytes. I'm not sure it's possible to receive a URL longer than 2048 bytes, as many protocols have message limits that are shorter than that.", "fix" => "A check to make sure the source string is shorter than 2048 bytes is performed.", "fixedversion" => "0.82", "discoveredby" => "Sean (\"infamous42md\")" ), array( "title" => "Local hostname resolution buffer overflow", "date" => "2004-08-26", "cve" => "CVE-2004-0785", "summary" => "Possible buffer overflow when resolving the hostname of the local computer.", "description" => "Buffer overflow. If the local computers host name is not in /etc/hosts, and the computer performs a DNS query to obtain it's hostname when signing on to zephyr, it could receive a reply with a hostname greater than MAXHOSTNAMELEN (generally 64 bytes). If gethostbyname() does not ensure the size of hostent->h_name is less than MAXHOSTNAMELEN, this value would be copied to a buffer that is not large enough.", "fix" => "The calls to copy the hostname were replaced with calls that check the length of the destination buffer.", "fixedversion" => "0.82", "discoveredby" => "Sean (\"infamous42md\")" ), array( "title" => "RTF message buffer overflow", "date" => "2004-08-26", "cve" => "CVE-2004-0785", "summary" => "Invalid rich text format messages could cause a buffer overflow.", "description" => "Buffer overflow. There are some loops that read into fixed-sized buffers and do not check to make sure they are not writing too much.", "fix" => "Added bounds checking to the two loops.", "fixedversion" => "0.82", "discoveredby" => "Sean (\"infamous42md\")" ), array( "title" => "Content-length DOS (malloc error)", "date" => "2004-08-26", "summary" => "Posibile for a malicious web server to provide a web page with a false content-length value which could crash Gaim.", "description" => "Remote crash. When a remote server provides a large \"content-length\" header value, Gaim will attempt to allocate a buffer to store the content, however this allocation attempt will cause Gaim to crash if the length exceeds the amount of possible memory. This happens when reading profile information on some protocols. It also happens when smiley themes are installed via drag and drop.", "fix" => "The call to g_malloc() was replaced with a call to g_try_malloc(). If the memory could not be allocated the function returns instead of causing the application to crash.", "fixedversion" => "0.82", "discoveredby" => "Sean (\"infamous42md\")" ), array( "title" => "MSN File transfer DOS (malloc error)", "date" => "2004-10-19", "summary" => "Crash when accepting a large file transfer that exceeds the amount of available memory.", "description" => "Remote crash. After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of available memory.", "fix" => "Don't allocate a buffer for file transfers.", "fixedversion" => "1.0.2", "discoveredby" => "Gaim" ), array( "title" => "MSN SLP DOS (malloc error)", "date" => "2004-10-19", "summary" => "Crash when receiving malformed MSN SLP message", "description" => "Remote crash. Gaim allocates a buffer for the payload of each message received based on the size field in the header of the message. A malicious peer could specify an invalid size that exceeds the amount of available memory.", "fix" => "Replace call to g_malloc() with call to g_try_malloc(). If the memory could not be allocated the function returns instead of causing the application to crash.", "fixedversion" => "1.0.2", "discoveredby" => "Gaim" ), array( "title" => "MSN SLP buffer overflow", "date" => "2004-10-19", "cve" => "CVE-2004-0891", "summary" => "Buffer overflow when receiving unexpected sequence of MSN SLP messages", "description" => "Buffer overflow. memcpy was used without checking the size of the buffer before copying to it. Additionally, a logic flaw was causing the wrong buffer to be used as the destination for the copy under certain circumstances.", "fix" => "Correct the logic to select the correct buffer, and add bounds checking to prevent malformed messages causing a buffer overflow.", "fixedversion" => "1.0.2", "discoveredby" => "Gaim" ), array( "title" => "AIM/ICQ remote denial of service", "date" => "2005-02-17", "cve" => "CVE-2005-0472", "summary" => "Client freezes when receiving certain invalid messages", "description" => "Certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim when parsing the SNAC. The remote user would need a custom client, able to generate malformed SNACs.", "fix" => "The OSCAR protocol plugin was modified to drop these malformed packets.", "fixedversion" => "1.1.3", "discoveredby" => "Brandon Scott (\"Xeon\")" ), array( "title" => "Remote DoS on receiving malformed HTML", "date" => "2005-02-17", "cve" => "CVE-2005-0473", "summary" => "Client crashes when receiving specific malformed HTML", "description" => "Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.", "fix" => "The HTML parsing functions were modified to correctly parse the malformed HTML.", "fixedversion" => "1.1.3", "discoveredby" => "Gaim" ), array( "title" => "Remote DoS on receiving malformed HTML", "date" => "2005-02-24", "cve" => "CVE-2005-0208", "summary" => "Client crashes when receiving specific malformed HTML", "description" => "Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.", "fix" => "The HTML parsing functions were modified to correctly parse the malformed HTML.", "fixedversion" => "1.1.4", "discoveredby" => "Gaim" ), array( "title" => "Remote DoS on receiving malformed HTML", "date" => "2005-04-02", "cve" => "CVE-2005-0965", "summary" => "Client crash when receiving specific malformed HTML", "description" => "The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read.", "fix" => "The function was changed to not allow the out-of-bounds read.", "fixedversion" => "1.2.1", "discoveredby" => "Jean-Yves Lefort" ), array( "title" => "Remote DoS on receiving certain messages over IRC", "date" => "2005-04-02", "cve" => "CVE-2005-0966", "summary" => "Client crash and other strange behavior when receiving specific messages over IRC", "description" => "The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions.", "fix" => "The IRC protocol plugin was modified to escape appropriate messages passed to the Gaim core.", "fixedversion" => "1.2.1", "discoveredby" => "Jean-Yves Lefort" ), array( "title" => "Jabber remote crash", "date" => "2005-04-04", "cve" => "CVE-2005-0967", "summary" => "A remote jabber user can cause Gaim to crash by sending a specific file transfer request.", "description" => "Sending a Gaim Jabber user a certain invalid file transfer request triggers an out-of-bounds read which causes Gaim to crash.", "fix" => "The invalid file transfer request is ignored.", "fixedversion" => "1.2.1", "discoveredby" => "Marco Alvarez" ), array( "title" => "Remote crash on some protocols", "date" => "2005-05-10", "cve" => "CVE-2005-1261", "summary" => "Specially crafted messages on certain protocols can cause a buffer overflow", "description" => "It is possible for a remote user to overflow a static buffer by sending an IM containing a very large URL (greater than 8192 bytes) to the Gaim user. This is not possible on all protocols, due to message length restrictions. Jabber are SILC are known to be vulnerable.", "fix" => "The URL parsing function was modified to not use a static buffer.", "fixedversion" => "1.3.0", "discoveredby" => "Stu Tomlinson" ), array( "title" => "MSN Remote DoS", "date" => "2005-05-10", "cve" => "CVE-2005-1262", "summary" => "Remote denial of service when receiving a specially crafted MSN message", "description" => "Potential remote denial of service bug resulting from not checking a pointer for non-NULL before passing it to strncmp, which results in a crash. This can be triggered by a remote client sending an SLP message with an empty body.", "fix" => "Check for NULL before attempting to use the pointer.", "fixedversion" => "1.3.0", "discoveredby" => "Siebe Tolsma" ), array( "title" => "Remote Yahoo! crash", "date" => "2005-06-10", "cve" => "CVE-2005-1269", "summary" => "Remote denial of service on Yahoo!", "description" => "Remove denial of service when being offered files with names containing non-ASCII characters.", "fix" => "Attempt to convert the file name to a usable encoding, or fail gracefully in the case of an invalid file name.", "fixedversion" => "1.3.1", "discoveredby" => "Jacopo Ottaviani" ), array( "title" => "MSN Remote DoS", "date" => "2005-06-10", "cve" => "CVE-2005-1934", "summary" => "Certain malformed MSN messages can cause gaim to crash", "description" => "Remote attackers can cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.", "fix" => "Added a check for the invalid message.", "fixedversion" => "1.3.1", "discoveredby" => "Hugo de Bokkenrijder" ), array( "title" => "Gadu-Gadu memory alignment bug", "date" => "2005-08-11", "cve" => "CVE-2005-2370", "summary" => "A memory alignment bug in the Gadu-Gadu protocol plugin can result in a buffer overflow", "description" => "There was a memory alignment bug in the library Gaim uses to access the Gadu-Gadu network. This bug can not be exploited on x86 architectures. This bug was recently fixed in the libgadu library, but also needed to be fixed in Gaim because Gaim includes a copy of the libgadu library.", "fix" => "The vulnerable section of code was modified to work correctly on all architectures.", "fixedversion" => "1.5.0", "discoveredby" => "Marcin Owsiany and Wojtek Kaniewski" ), array( "title" => "AIM/ICQ non-UTF-8 filename crash", "date" => "2005-08-11", "cve" => "CVE-2005-2102", "summary" => "Invalid filenames can cause a crash on some systems", "description" => "A remote user could cause Gaim to crash on some systems by sending the Gaim user a file whose filename contains certain invalid characters. It is unknown what combination of systems are affected, but it is suspected that Windows users and systems with older versions of GTK+ are especially susceptible.", "fix" => "The filename is validated as UTF-8 before Gaim attemps to display it.", "fixedversion" => "1.5.0", "discoveredby" => "Unknown" ), array( "title" => "AIM/ICQ away message buffer overflow", "date" => "2005-08-11", "cve" => "CVE-2005-2103", "summary" => "Remote users can cause a buffer overflow", "description" => "A remote AIM or ICQ user can cause a buffer overflow in Gaim by setting an away message containing many AIM substitution strings (such as %t or %n).", "fix" => "The substitution function was modified to use a dynamic buffer instead of one with a fixed size.", "fixedversion" => "1.5.0", "discoveredby" => "Brandon Perry" ), array( "title" => "MSN Remote \"Nudge\" DoS", "date" => "2007-09-27", "cve" => "CVE-2007-4996", "summary" => "MSN nudges sent from unknown buddies can cause libpurple 2.2.0 to crash", "description" => "A remote MSN user that is not on the buddy list can cause a denial of service (crash) by sending a nudge message. The protocol plugin attempts to look up the buddy's information and accesses an invalid memory location if the user is not on the buddy list. This only affects libpurple version 2.2.0, older versions are not affected.", "fix" => "The nudge functionality in the MSN protocol has been rewritten to avoid an unnecessary lookup of buddy information.", "fixedversion" => "2.2.1", "discoveredby" => "Evan Schoenberg" ), array( "title" => "NULL pointer dereference in parsing invalid HTML", "date" => "2007-10-24", "cve" => "CVE-2007-4999", "summary" => "Receiving invalid HTML can cause libpurple 2.1.0 through 2.2.1 to crash", "description" => "A remote user can cause a denial of service (crash) by sending a message with invalid HTML. It is believed that this crash can be triggered only when using HTML logging.", "fix" => "The affected function has been patched to fix the vulnerability.", "fixedversion" => "2.2.2", "discoveredby" => "Jeffrey Rosen" ), array( "title" => "MSN malformed SLP message overflow", "date" => "2008-07", "cve" => "CVE-2008-2927", "summary" => "Malformed SLP messages can cause a buffer overflow", "description" => "Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in libpurple allow remote attackers to execute arbitrary code via a malformed SLP message.", "fix" => "The affected function has been patched to fix the vulnerability.", "fixedversion" => "2.4.3", "discoveredby" => "Anonymous (via TippingPoint's Zero Day Initiative)" ), array( "title" => "MSN Remote file transfer filename DoS", "date" => "2008-06-25", "cve" => "CVE-2008-2955", "summary" => "MSN file transfers with specially crafted file names can cause libpurple to crash", "description" => "A remote MSN user can cause a denial of service (crash) by sending a file with a file with a filename containing invalid characters. The local user must then accept the file transfer to trigger a double-free.", "fix" => "A fix was applied to ensure that the double-free didn't occur.", "fixedversion" => "2.4.3", "discoveredby" => "Juan Pablo Lopez Yacubian" ), array( "title" => "Remote UPnP discovery DoS", "date" => "2007-05-11", "cve" => "CVE-2008-2957", "summary" => "A malicious process could pose as a UPnP server and cause libpurple to download excessive data.", "description" => "The UPnP functionality in libpurple allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.", "fix" => "UPnP related downloads are limited to 128kB", "fixedversion" => "2.5.0", "discoveredby" => "Andrew Hunt and Christian Grothoff" ), array( "title" => "NSS TLS/SSL Certificates not validated", "date" => "2008-07-25", "cve" => "CVE-2008-3532", "summary" => "No validation on SSL certificates was performed for NSS SSL", "description" => "The NSS SSL implementation in libpurple does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.", "fix" => "SSL/TLS Certificates are now verified in the NSS implementation in libpurple.", "fixedversion" => "2.5.0", "discoveredby" => "Josh Triplett" ), array( "title" => "XMPP file transfer buffer overflow", "date" => "2009-05-02", "cve" => "CVE-2009-1373", "summary" => "Buffer overflow is possible when initiating file transfer to a malicious buddy over XMPP", "description" => "The XMPP SOCKS5 bytestream server was not correctly checking the bounds of a buffer when initiating an outgoing file transfer.", "fix" => "The affected function has been patched to fix the vulnerability.", "fixedversion" => "2.5.6", "discoveredby" => "Veracode" ), array( "title" => "QQ remote DoS", "date" => "2009-05-03", "cve" => "CVE-2009-1374", "summary" => "Possible remote denial of service when receiving a QQ packet", "description" => "decrypt_out() always writes 8 bytes past the supplied buffer, which is always allocated on the stack. We don't believe this can cause anything outside of a crash.", "fix" => "decrypt_out() is fixed to not write past the end of the buffer.", "fixedversion" => "2.5.6", "discoveredby" => "Ka-Hing Cheung" ), array( "title" => "Remote DoS in multiple protocols", "date" => "2009-03-20", "cve" => "CVE-2009-1375", "summary" => "Remote denial of service that affects several protocols", "description" => "A buffer maintained by PurpleCircBuffer may be corrupted if it's exactly full and then more bytes are added to it, leading to a crash. This structure is used by the XMPP and Sametime protocol plugins.", "fix" => "PurpleCircBuffer now correctly checks bounds.", "fixedversion" => "2.5.6", "discoveredby" => "Josef Andrysek" ), array( "title" => "MSN malformed SLP message overflow", "date" => "2009-05-02", "cve" => "CVE-2009-1376", "summary" => "Malformed SLP messages can cause a buffer overflow", "description" => "The previous fix to <a href=\"/news/security/?id=25\">CVE-2008-2927</a> was deemed incomplete. The size check improperly cast an uint64 to size_t which can cause an integer overflow, rendering the check useless.", "fix" => "The proper variable type is now used when doing size comparison. Additionally, the malformed message is now properly discarded.", "fixedversion" => "2.5.6", "discoveredby" => "Loc VALBON (via TippingPoint's Zero Day Initiative)" ), array( "title" => "ICQ parser excessive memory allocation", "date" => "2009-05-28", "cve" => "CVE-2009-1889", "summary" => "Misparsed web messages can result in excessive memory allocation", "description" => "The ICQ prpl would misparse an incoming ICQ Web Message as an SMS message in certain circumstances, leading to an excessively large allocation.", "fix" => "Yuriy's patch corrected the misparsing of such ICQ web messages so they are no longer treated as SMS messages and added validation to avoid unnecessary memory allocations.", "fixedversion" => "2.5.8", "discoveredby" => "Yuriy Kaminskiy" ), array( "title" => "MSN overflow parsing SLP messages", "date" => "2009-08-18", "cve" => "CVE-2009-2694", "summary" => "Specially crafted SLP messages can cause a buffer overflow", "description" => "By sending two consecutive specially crafted SLP messages it is possible to trigger an memcpy to an invalid location in memory. This affects all versions of libpurple and Gaim released in the past few years.", "fix" => "Correctly destroy outgoing SLP ACK messages after they are sent, and ensure a buffer has been allocated within the SLP data structure before attempting to write to it.", "fixedversion" => "2.5.9", "discoveredby" => "Core Security Technologies" ), array( "title" => "Yahoo IM parsing crash", "date" => "2009-08-22", "cve" => "CVE-2009-3025", "summary" => "Crash in Yahoo protocol plugin when receiving an IM", "description" => "Possibly depending on the architecture and/or flags used to compile libpurple, the Yahoo protocol plugin may crash when receiving an IM from any user which contains a URL. The only vulnerable version of libpurple is 2.6.0.", "fix" => "Correctly parse URLs in incoming Yahoo messages.", "fixedversion" => "2.6.1", "discoveredby" => "adk" ), array( "title" => "XMPP may not enforce TLS", "date" => "2009-09-03", "cve" => "CVE-2009-3026", "summary" => "XMPP does not always respect the \"require TLS/SSL\" preference", "description" => "The XMPP protocol plugin can be tricked into establishing an insecure connection by a malicious man in the middle by causing libpurple to use the older IQ-based login and then not offering TLS/SSL. The \"require TLS/SSL\" option was introduced in 2.2.0.", "fix" => "Respect the \"require TLS/SSL\" preference for this type of connection.", "fixrevisions" => "447ef31d038a", "fixedversion" => "2.6.0", "discoveredby" => "bugdave in <a href=\"https://developer.pidgin.im/ticket/8131\">ticket #8131</a> and Paul Aurich" ), array( "title" => "XMPP custom smiley parsing bug", "date" => "2009-09-03", "cve" => "CVE-2009-3085", "summary" => "XMPP can crash when parsing certain custom smiley responses", "description" => "The XMPP protocol plugin can crash when attempting to process an error response as a custom smiley. libpurple 2.5.2 through 2.6.1 are vulnerable. Older versions may be vulnerable as well.", "fix" => "Handle error iq responses appropriately.", "fixrevisions" => "2da956f23839", "fixedversion" => "2.6.2", "discoveredby" => "Florob, Waqas, Paul Aurich and Marcus Lundblad" ), array( "title" => "MSN handwritten message crash", "date" => "2009-09-03", "cve" => "CVE-2009-3084", "summary" => "MSN incorrectly handles incoming handwritten messages, which can lead to a crash", "description" => "The MSN protocol plugin used an incorrect character encoding when attempting to convert handwritten messages from one encoding to another. This caused the conversion to fail. This failure combined with an uninitialized variable can trigger a crash. The only vulnerable versions of libpurple are 2.6.0 and 2.6.1.", "fix" => "Use the correct character set name and initialize error to NULL.", "fixrevisions" => "b579df23a255", "fixedversion" => "2.6.2", "discoveredby" => "aly89 in <a href=\"https://developer.pidgin.im/ticket/10048\">ticket #10048</a> and Elliott Sales de Andrade" ), array( "title" => "MSN partial SLP invite crash", "date" => "2009-09-03", "cve" => "CVE-2009-3083", "summary" => "MSN expects certain values to exist, and crashes if they do not", "description" => "The MSN protocol plugin extracts some fields from an incoming SLP invite. If some of these fields do not exist in the invite message then the protocol plugin will attempt to dereference a NULL pointer and will crash.", "fix" => "Check for NULL values and handle appropriately.", "fixrevisions" => "2431bae68adf", "fixedversion" => "2.6.2", "discoveredby" => "blackstar in <a href=\"https://developer.pidgin.im/ticket/10159\">ticket #10159</a> and Elliott Sales de Andrade" ), array( "title" => "IRC crash from malicious server", "date" => "2009-09-03", "cve" => "CVE-2009-2703", "summary" => "A malicious server can send an invalid IRC message which triggers a crash", "description" => "A specially crafted IRC TOPIC message can trigger a NULL pointer dereference in the IRC protocol plugin's code for handling IRC topics.", "fix" => "Correctly ignore invalid TOPIC messages sent from the server.", "fixrevisions" => "615584769b59", "fixedversion" => "2.6.2", "discoveredby" => "Cristofaro Mune" ), array( "title" => "ICQ and maybe AIM remote crash", "date" => "2009-10-16", "cve" => "CVE-2009-3615", "summary" => "A remote user can cause libpurple-based clients to crash", "description" => "A specially crafted message can trigger an incorrect memory access in the oscar protocol plugin which can lead to a crash. This happens when the SIM IM client attempts to send contacts to a libpurple user.", "fix" => "Check for the correct number of fields before attempting to dereference memory.", "fixrevisions" => "7dc8dfacd548", "fixedversion" => "2.6.3", "discoveredby" => "nightwing666 in <a href=\"https://developer.pidgin.im/ticket/10481\">ticket #10481</a>" ), array( "title" => "MSN file download vulnerability", "date" => "2010-01-08", "cve" => "CVE-2010-0013", "summary" => "A remote user can download arbitrary files from a libpurple-based client", "description" => "The MSN protocol plugin extracts the filename of a custom emoticon from an incoming request and uploads that file without correlating the filename to a valid custom emoticon.", "fix" => "Validate the custom emoticon requested is valid before uploading its file data.", "fixrevisions" => "7e381f84b894", "fixedversion" => "2.6.5", "discoveredby" => "Fabian Yamaguchi" ), array( "title" => "MSN malformed SLP message crash", "date" => "2010-02-18", "cve" => "CVE-2010-0277", "summary" => "Failure to validate all fields of an incoming message can trigger a crash", "description" => "Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly.", "fix" => "Validate input before attempting to handle the message.", "fixrevisions" => "9a3f73531905", "fixedversion" => "2.6.6", "discoveredby" => "Fabian Yamaguchi" ), array( "title" => "Finch XMPP MUC crash", "date" => "2010-02-18", "cve" => "CVE-2010-0420", "summary" => "Certain nicknames in group chat rooms can trigger a crash in Finch", "description" => "If a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username '\n' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution.", "fix" => "Correctly parse '<br>' so that it appears literally rather than as '\n'.", "fixrevisions" => "cf4435714f5f,6c8add94b5a4", "fixedversion" => "2.6.6", "discoveredby" => "Sadrul Habib Chowdhury" ), array( "title" => "Smiley denial of service", "date" => "2010-02-18", "cve" => "CVE-2010-0423", "summary" => "Pidgin can become unresponse when displaying large numbers of smileys", "description" => "oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusably slow.", "fix" => "A limit was added for the maximum number of smileys allowed in a conversation.", "fixrevisions" => "a783b23a05da", "fixedversion" => "2.6.6", "discoveredby" => "Antti Hayrynen" ), array( "title" => "MSN emoticon denial of service", "date" => "2010-05-12", "cve" => "CVE-2010-1624", "summary" => "Libpurple clients can crash due to malformed SLP message", "description" => "A vulnerability was discovered in libpurple's MSN protocol plugin that can cause a denial of service (crash) due to insufficient validation of certain SLP packets related to custom emoticons. An attacker could use this vulnerability to remotely crash a client using libpurple for MSN. It is not possible for this vulnerability to be exploited for code execution. As a workaround, disabling custom emoticons on MSN accounts will prevent the vulnerability.", "fix" => "Validation has been added to the MSN plugin to prevent the crash.", "fixrevisions" => "a91ffa611a85", "fixedversion" => "2.7.0", "discoveredby" => "Pierre Noguès of Meta Security" ), array( "title" => "ICQ X-Status denial of service", "date" => "2010-07-21", "cve" => "CVE-2010-2528", "summary" => "libpurple clients can crash due to malformed X-Status messages", "description" => "Certain incorrectly formed X-Status messages can cause libpurple to attempt to dereference a NULL pointer, which triggers a crash.", "fix" => "Improve the parsing of the X-Status message to be more robust", "fixrevisions" => "a56f371f289a", "fixedversion" => "2.7.2", "discoveredby" => "Mark Doliner" ), array( "title" => "purple_base64_decode() remote crashes", "date" => "2010-10-20", "cve" => "CVE-2010-3711", "summary" => "Multiple remotely-triggered denials of service", "description" => "It has been discovered that eight denial of service conditions exist in libpurple all due to insufficient validation of the return value from purple_base64_decode(). Invalid or malformed data received in place of a valid base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP protocol plugins and the NTLM authentication support trigger a crash. These vulnerabilities can be leveraged by a remote user for denial of service.", "fix" => "Check the return value from purple_base64_decode() before trying to use it.", "fixrevisions" => "1a7e2da2ab01", "fixedversion" => "2.7.4", "discoveredby" => "Daniel Atallah" ), array( "title" => "MSN direct connection denial of service", "date" => "2010-12-26", "cve" => "CVE-2010-4528", "summary" => "Remotely-triggered denial of service in MSN", "description" => "It was discovered that libpurple 2.7.6 through 2.7.8 did not properly handle "short" packets in MSN direct connection sessions, leading to a crash due to a NULL pointer dereference. Malicious clients or users can exploit this to cause a denial of service (crash).", "fix" => "Ignore short packets.", "fixrevisions" => "26fc2e71129a", "fixedversion" => "2.7.9", "discoveredby" => "Stu Tomlinson" ), array( "title" => "Cipher API information disclosure", "date" => "2011-02-06", "summary" => "Potential local information disclosure in libpurple", "description" => "It was discovered that libpurple versions prior to 2.7.10 do not properly clear certain data structures used in libpurple/cipher.c prior to freeing. An attacker could potentially extract partial information from memory regions freed by libpurple.", "fix" => "Proper structure clearing has been implemented.", "fixrevisions" => "8c850977cb42", "fixedversion" => "2.7.10", "discoveredby" => "Julia Lawall" ), array( "title" => "Remote denial of service in Yahoo protocol plugin", "date" => "2011-03-10", "cve" => "CVE-2011-1091", "summary" => "Improper handling of malformed packets leads to denial of service", "description" => "The Yahoo protocol plugin in libpurple versions 2.6.0 through 2.7.10 do not properly handle malformed YMSG packets, leading to NULL pointer dereferences and application crash.", "fix" => "Properly handle malformed packets by ignoring the packet or the missing field.", "fixrevisions" => "3efb6fbae94a", "fixedversion" => "2.7.11", "discoveredby" => "Marius Wachtler" ), array( "title" => "Remote denial of service from corrupt buddy icons", "date" => "2011-06-23", "cve" => "CVE-2011-2485", "summary" => "A remote attacker could set a specially-crafted GIF image as their buddy icon that could lead to Pidgin being terminated due to excessive memory use", "description" => "It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use.", "fix" => "Change Pidgin to look at the GError parameter in addition to the return value when calling certain gdk-pixbuf functions.", "fixrevisions" => "96183796df0c", "fixedversion" => "2.9.0", "discoveredby" => "Mark Doliner" ), array( "title" => "Remote crash in IRC protocol plugin", "date" => "2011-08-20", "cve" => "CVE-2011-2943", "description" => "Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests. This can cause a crash on some operating systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected.", "fix" => "Change libpurple to validate the data it receives from the server before attempting to use it.", "fixrevisions" => "619f32df41f1", "fixedversion" => "2.10.0", "discoveredby" => "Djego Ibanez, Lead QA at Gamistry" ), array( "title" => "Remote crash in MSN protocol plugin", "date" => "2011-08-20", "cve" => "CVE-2011-3184", "description" => "Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to. This only affects users who have turned on the HTTP connection method for their accounts (it's off by default). This might only be triggerable by a malicious server and not a malicious peer. We believe remote code execution is not possible.", "fix" => "Correctly take into account the size of HTTP 100 response when parsing server messages.", "fixrevisions" => "2379d8500566", "fixedversion" => "2.10.0", "discoveredby" => "Marius Wachtler" ), array( "title" => "Pidgin uses clickable links to untrusted executables", "date" => "2011-08-20", "cve" => "CVE-2011-3185", "description" => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share.", "fix" => "Don't attempt to execute files when the user clicks a file:// URI. Instead, open a file browser at the file's location.", "fixrevisions" => "4377067bda01", "fixedversion" => "2.10.0", "discoveredby" => "James Burton, Insomnia Security" ), array( "title" => "SILC remote crash", "date" => "2011-09-29", "cve" => "CVE-2011-3594", "description" => "When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash.", "fix" => "Validate incoming strings as UTF-8 before using them as such.", "fixrevisions" => "69372ee4f474", "fixedversion" => "2.10.1", "discoveredby" => "Diego Bauche Madero from IOActive" ), array( "title" => "AIM and ICQ remote crash", "date" => "2011-10-20", "cve" => "CVE-2011-4601", "description" => "When receiving various messages related to requesting or receiving authorization for adding a buddy to a buddy list, the oscar protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash.", "fix" => "Validate incoming strings as UTF-8 before using them as such.", "fixrevisions" => "8431da66063b", "fixedversion" => "2.10.1", "discoveredby" => "Evgeny Boger" ), array( "title" => "XMPP remote crash", "date" => "2011-12-10", "cve" => "CVE-2011-4602", "description" => "When receiving various stanzas related to voice and video chat, the XMPP protocol plugin failed to ensure that the incoming message contained all required fields, and would crash if certain fields were missing.", "fix" => "Check for missing fields and handle them appropriately.", "fixrevisions" => "15eb0e242206", "fixedversion" => "2.10.1", "discoveredby" => "Thijs Alkemade" ), array( "title" => "SILC remote crash", "date" => "2011-09-29", "cve" => "CVE-2011-4603", "description" => "When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash. This vulnerability is similar to CVE-2011-3594, but occurs in a different piece of code and was fixed at a later date.", "fix" => "Validate incoming strings as UTF-8 before using them as such.", "fixrevisions" => "fa8d4132d071", "fixedversion" => "2.10.1", "discoveredby" => "Diego Bauche Madero from IOActive" ), array( "title" => "XMPP remote crash", "date" => "2011-07-08", "cve" => "CVE-2011-4939", "description" => "Certain types of nickname changes in XMPP chat rooms can trigger a NULL pointer dereference in Pidgin, which triggers a crash.", "fix" => "Check for NULL before trying to use a struct.", "fixrevisions" => "92fdfe84de21", "fixedversion" => "2.10.2", "discoveredby" => "Clemens Huebner in <a href=\"https://developer.pidgin.im/ticket/14392\">ticket #14392</a> and Kevin Stange" ), array( "title" => "Possible MSN remote crash", "date" => "2012-01-17", "cve" => "CVE-2012-1178", "description" => "In some situations the MSN server sends text that isn't UTF-8 encoded, and Pidgin fails to verify the text's encoding. In some cases this can lead to a crash when attempting to display the text.", "fix" => "Verify that incoming text is UTF-8, and sanitize if it's not.", "fixrevisions" => "1b1b97b8e942,f9eeb175a5c9,f5fd49c83637,5c02bc93f2c4,85ec889f1675", "fixedversion" => "2.10.2", "discoveredby" => "Thijs Alkemade in <a href=\"https://developer.pidgin.im/ticket/14884\">ticket #14884</a>" ), array( "title" => "XMPP remote crash", "date" => "2012-05-06", "cve" => "CVE-2012-2214", "description" => "A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests.", "fix" => "Correctly cancel and free a SOCKS5 connection attempt so that it does not trigger an attempt to access invalid memory later.", "fixrevisions" => "5f9d676cefdb", "fixedversion" => "2.10.4", "discoveredby" => "José ValentÃn Gutiérrez" ), array( "title" => "Possible MSN remote crash", "date" => "2012-05-06", "cve" => "CVE-2012-2318", "description" => "Incoming messages with certain characters or character encodings can cause clients to crash.", "fix" => "The contents of all incoming plaintext messages are converted to UTF-8 and validated before used.", "fixrevisions" => "4d6bcb4f4ea4", "fixedversion" => "2.10.4", "discoveredby" => "Fabian Yamaguchi" ), array( "title" => "MXit buffer overflow", "date" => "2012-07-05", "cve" => "CVE-2012-3374", "description" => "Incorrect handing of inline images in incoming instant messages can cause a buffer overflow and in some cases can be exploited to execute arbitrary code.", "fix" => "Use dynamically allocated memory instead of a fixed size buffer.", "fixrevisions" => "ded93865ef42", "fixedversion" => "2.10.5", "discoveredby" => "Ulf Härnhammar" ), array( "title" => "Remote MXit user could specify local file path", "date" => "2013-02-13", "cve" => "CVE-2013-0271", "description" => "The MXit protocol plugin saves an image to local disk using a filename that could potentially be partially specified by the IM server or by a remote user.", "fix" => "Escape values that come from the network before using them in filenames.", "fixrevisions" => "a8aef1d340f2", "fixedversion" => "2.10.7", "discoveredby" => "Chris Wysopal, Veracode" ), array( "title" => "MXit buffer overflow reading data from network", "date" => "2013-02-13", "cve" => "CVE-2013-0272", "description" => "The code did not respect the size of the buffer when parsing HTTP headers, and a malicious server or man-in-the-middle could send specially crafted data that could overflow the buffer. This could lead to a crash or remote code execution.", "fix" => "Check buffer bounds when reading and parsing incoming HTTP data.", "fixrevisions" => "879db2a9a59c", "fixedversion" => "2.10.7", "discoveredby" => "Daniel Atallah" ), array( "title" => "Sametime crash with long user IDs", "date" => "2013-02-13", "cve" => "CVE-2013-0273", "description" => "libpurple failed to null-terminate user IDs that were longer than 4096 bytes. It's plausible that a malicious server could send one of these to us, which would lead to a crash.", "fix" => "Use g_strlcpy() instead of strncpy() to guarrantee that the string is null-terminated.", "fixrevisions" => "c31cf8de31cd", "fixedversion" => "2.10.7", "discoveredby" => "Coverity static analysis" ), array( "title" => "Crash when receiving a UPnP response with abnormally long values", "date" => "2013-02-13", "cve" => "CVE-2013-0274", "description" => "libpurple failed to null-terminate some strings when parsing the response from a UPnP router. This could lead to a crash if a malicious user on your network responds with a specially crafted message.", "fix" => "Use g_strlcpy() instead of strncpy() to guarrantee that strings are null-terminated.", "fixrevisions" => "ad7e7fb98db3", "fixedversion" => "2.10.7", "discoveredby" => "Coverity static analysis" ), array( "title" => "Windows Pidgin crash receiving some characters", "date" => "2014-01-28", "cve" => "", "description" => "The library used to render fonts would sometimes crash when attempting to display certain Unicode characters.", "fix" => "Patch the version of Pango that we bundle with our installer to not crash when displaying these characters.", "fixrevisions" => "3542f04b5e52", "fixedversion" => "2.10.8", "discoveredby" => "Eion Robb" ), array( "title" => "Yahoo! remote crash from incorrect character encoding", "date" => "2014-01-28", "cve" => "CVE-2012-6152", "description" => "Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings. This can lead to a crash when receiving strings that aren't UTF-8.", "fix" => "Depending on the context, either validate that a string is UTF-8 or transcode the string from the appropriate encoding to UTF-8.", "fixrevisions" => "b0345c25f886", "fixedversion" => "2.10.8", "discoveredby" => "Thijs Alkemade and Robert Vehse" ), array( "title" => "Crash handling bad XMPP timestamp", "date" => "2014-01-28", "cve" => "CVE-2013-6477", "description" => "A remote XMPP user can trigger a crash on some systems by sending a message with a timestamp in the distant future.", "fix" => "Avoid passing negative timestamps to localtime().", "fixrevisions" => "852014ae74a0", "fixedversion" => "2.10.8", "discoveredby" => "Jaime Breva Ribes" ), array( "title" => "Crash when hovering pointer over a long URL", "date" => "2014-01-28", "cve" => "CVE-2013-6478", "description" => "libX11 forcefully exits when Pidgin tries to create an exceptionally wide tooltip window.", "fix" => "Only display the first 200 characters of the URL in the tooltip.", "fixrevisions" => "2bb66ef1475e", "fixedversion" => "2.10.8", "discoveredby" => "<a href=\"/pipermail/support/2013-March/012980.html\">support email #1</a>, <a href=\"/pipermail/support/2013-March/012981.html\">support email #2</a>" ), array( "title" => "Remote crash parsing HTTP responses", "date" => "2014-01-28", "cve" => "CVE-2013-6479", "description" => "A malicious server or man-in-the-middle could send a malformed HTTP response that could lead to a crash.", "fix" => "Validate response before using it.", "fixrevisions" => "cd529e1158d3", "fixedversion" => "2.10.8", "discoveredby" => "Jacob Appelbaum of the Tor Project" ), array( "title" => "Remote crash reading Yahoo! P2P message", "date" => "2014-01-28", "cve" => "CVE-2013-6481", "description" => "The Yahoo! protocol plugin failed to validate a length field before trying to read from a buffer, which could result in reading past the end of the buffer which could cause a crash.", "fix" => "Check that the length is within range.", "fixrevisions" => "4d139ce8f7ec", "fixedversion" => "2.10.8", "discoveredby" => "Daniel Atallah" ), array( "title" => "NULL pointer dereference parsing headers in MSN", "date" => "2014-01-28", "cve" => "CVE-2013-6482", "description" => "A malformed Content-Length header could lead to a NULL pointer dereference.", "fix" => "Check to make sure the Content-Length header has a value.", "fixrevisions" => "23cbfff68a0c", "fixedversion" => "2.10.8", "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" ), array( "title" => "NULL pointer dereference parsing OIM data in MSN", "date" => "2014-01-28", "cve" => "CVE-2013-6482", "description" => "A malicious server or man-in-the-middle could send us a specially-crafted XML response that results in a NULL pointer dereference.", "fix" => "Check for NULL before calling atoi().", "fixrevisions" => "ef836278304b", "fixedversion" => "2.10.8", "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" ), array( "title" => "NULL pointer dereference parsing SOAP data in MSN", "date" => "2014-01-28", "cve" => "CVE-2013-6482", "description" => "A malicious server or man-in-the-middle could send us a specially-crafted SOAP response that results in a NULL pointer dereference.", "fix" => "Check for NULL before using values.", "fixrevisions" => "68d6df7dc69c", "fixedversion" => "2.10.8", "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" ), array( "title" => "XMPP doesn't verify 'from' on some iq replies", "date" => "2014-01-28", "cve" => "CVE-2013-6483", "description" => "The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.", "fix" => "Keep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.", "fixrevisions" => "93d4bff19574", "fixedversion" => "2.10.8", "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" ), array( "title" => "Crash reading response from STUN server", "date" => "2014-01-28", "cve" => "CVE-2013-6484", "description" => "Incorrect error handling when reading the response from a STUN server could lead to a crash.", "fix" => "Fix error handling.", "fixrevisions" => "932b985540e9", "fixedversion" => "2.10.8", "discoveredby" => "Coverity static analysis" ), array( "title" => "Buffer overflow parsing chunked HTTP responses", "date" => "2014-01-28", "cve" => "CVE-2013-6485", "description" => "A malicious server or man-in-the-middle could cause a buffer overflow by sending a malformed HTTP response with chunked Transfer-Encoding with invalid chunk sizes.", "fix" => "Enforce a maximum size for chunks.", "fixrevisions" => "c9e5aba2dafd", "fixedversion" => "2.10.8", "discoveredby" => "Matt Jones, Volvent" ), array( "title" => "Pidgin uses clickable links to untrusted executables", "date" => "2014-01-28", "cve" => "CVE-2013-6486", "description" => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share. This was <a href=\"?id=55\">originally reported in CVE-2011-3185 in 2011</a> and we attempted to fix it then, but failed.", "fix" => "Don't attempt to execute files when the user clicks a file:// URI. Instead, open a file browser at the file's location.", "fixrevisions" => "b2571530fa8b", "fixedversion" => "2.10.8", "discoveredby" => "Originally by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT." ), array( "title" => "Buffer overflow in Gadu-Gadu HTTP parsing", "date" => "2014-01-28", "cve" => "CVE-2013-6487", "description" => "A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow.", "fix" => "Enforce a maximum size for content-length.", "fixrevisions" => "ec15aa187aa0", "fixedversion" => "2.10.8", "discoveredby" => "Yves Younan and Ryan Pentney of Sourcefire VRT" ), array( "title" => "Buffer overflow in MXit emoticon parsing", "date" => "2014-01-28", "cve" => "CVE-2013-6489", "description" => "A specially crafted emoticon value could cause an integer overflow which could lead to a buffer overflow.", "fix" => "Use an unsigned integer and enforce a maximum size.", "fixrevisions" => "4c897372b5a4", "fixedversion" => "2.10.8", "discoveredby" => "Yves Younan and Pawel Janic of Sourcefire VRT" ), array( "title" => "Buffer overflow in SIMPLE header parsing", "date" => "2014-01-28", "cve" => "CVE-2013-6490", "description" => "A Content-Length of -1 could lead to a buffer overflow.", "fix" => "Ignore messages with negative values for Content-Length.", "fixrevisions" => "6bd2dd10e5da", "fixedversion" => "2.10.8", "discoveredby" => "Yves Younan of Sourcefire VRT" ), array( "title" => "Remotely triggerable crash in IRC argument parsing", "date" => "2014-01-28", "cve" => "CVE-2014-0020", "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by sending a message with fewer than expected arguments.", "fix" => "Verify that incoming messages contain the appropriate number of arguments before handling them.", "fixrevisions" => "a167504359e5,9f132a6855cd,5845d9fa7084,6b0e0566af20,4d9be297d399,7d0fb0c6d8d4", "fixedversion" => "2.10.8", "discoveredby" => "Daniel Atallah" ), array( "title" => "Insufficient SSL certificate validation", "date" => "2014-10-22", "cve" => "CVE-2014-3694", "description" => "Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.", "fix" => "Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.", "fixrevisions" => "2e4475087f04", "fixedversion" => "2.10.10", "discoveredby" => "An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability" ), array( "title" => "Remote crash parsing malformed MXit emoticon", "date" => "2014-10-22", "cve" => "CVE-2014-3695", "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon with an overly large length value.", "fix" => "Verify that the length value is valid before attempting to read data from the buffer.", "fixrevisions" => "6436e14bdb9d", "fixedversion" => "2.10.10", "discoveredby" => "Yves Younan and Richard Johnson of Cisco Talos" ), array( "title" => "Remote crash parsing malformed Groupwise message", "date" => "2014-10-22", "cve" => "CVE-2014-3696", "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI.", "fix" => "Impose a maximum length when reading various types of messages.", "fixrevisions" => "44fd89158777", "fixedversion" => "2.10.10", "discoveredby" => "Yves Younan and Richard Johnson of Cisco Talos" ), array( "title" => "Malicious smiley themes could alter arbitrary files", "date" => "2014-10-22", "cve" => "CVE-2014-3697", "description" => "A bug in the untar code on Windows could allow a malicious smiley theme to place a file anywhere on the file system, or alter an existing file when installing a smiley theme via drag and drop on Windows.", "fix" => "Fix the untar code to ensure all paths are relative.", "fixrevisions" => "68b8eb10977f", "fixedversion" => "2.10.10", "discoveredby" => "Yves Younan of Cisco Talos" ), array( "title" => "Potential information leak from XMPP", "date" => "2014-10-22", "cve" => "CVE-2014-3698", "description" => "A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory.", "fix" => "Correctly determine the start and end position of buffers when performing stringprep.", "fixrevisions" => "ea46ab68f0dc", "fixedversion" => "2.10.10", "discoveredby" => "Thijs Alkemade and Paul Aurich" ) ); /* Template for the unfortunate future array( "title" => "", "date" => "", "cve" => "", "description" => "", "fix" => "", "fixrevisions" => "", "fixedversion" => "", "discoveredby" => "" ), */ ?> <?php if (array_key_exists('id', $_GET)) { // Read in the ID of the vulnerability the user wants to view $id = intval($_GET["id"]); } $total = count($vulnerabilities); if (!isset($id) || !is_int($id) || ($id < 0) || ($id >= $total)) { // display the vulnerability index unless the ID is valid ?> <h1>Pidgin Security Advisories</h1> <p>This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.</p> <table> <tr> <th>Title</th> <th>CVE Name</th> <th>Date</th> <th>Fixed In</th> </tr> <?php $offset = (array_key_exists('offset', $_GET) ? $_GET['offset'] : 0); if ($offset >= $total || $offset < 0) { $offset = 0; } $start = ($total - $offset - 1); $stop = ($total - $offset - $max_per_page - 1); if ($stop < 0) { $stop = 0; } for ($i = $start; $i >= $stop; $i--) { $vun =& $vulnerabilities[$i]; ?> <tr> <td><a href="?id=<?php echo $i ?>"><?php echo $vun['title'] ?></a></td> <?php if (!empty($vun['cve'])) { ?> <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=<?php echo $vun['cve'] ?>"><?php echo $vun['cve'] ?></a></td> <?php } else { ?> <td>N/A</td> <?php } ?> <td class="date"><?php echo $vun['date'] ?></td> <td><?php echo $vun['fixedversion'] ?></td> </tr> <?php } ?> </table> <?php if ($start < ($total - 1)) { ?> <a href="?offset=<?php echo ($offset - $max_per_page) ?>">Newer</a> <?php } if ($stop > 0) { ?> <a href="?offset=<?php echo ($offset + $max_per_page) ?>">Older</a> <?php } ?> <?php } else { // display the individual vulnerability $vun =& $vulnerabilities[$id]; ?> <h1>Pidgin Security Advisory</h1> <table> <?php $cve_name = empty($vun['cve']) ? "N/A" : "<a href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=" . $vun['cve'] . "\">" . $vun['cve'] . "</a>"; echo "<tr><th>Title</th><td>", $vun['title'], "</td></tr>\n"; echo "<tr><th>Date</th><td>", $vun['date'], "</td></tr>\n"; echo "<tr><th>CVE Name</th><td>", $cve_name, "</td></tr>\n"; echo "<tr><th>Discovered By</th><td>", $vun['discoveredby'], "</td></tr>\n"; if (!empty($vun['summary'])) { echo "<tr><th>Summary</th><td>", $vun['summary'], "</td></tr>\n"; } echo "<tr><th>Description</th><td>", $vun['description'], "</td></tr>\n"; if (!empty($vun['fixrevisions'])) { // fixrevisions is a comma delimited list of revisions. Linkify each one individually. $fixrevisions = ''; foreach (explode(',', $vun['fixrevisions']) as $revision) { if (!empty($fixrevisions)) $fixrevisions .= "<br/>"; $fixrevisions .= "<a href=\"http://hg.pidgin.im/pidgin/main/rev/$revision\">$revision</a>"; } echo "<tr><th>Fixed in Revision</th><td>", $fixrevisions, "</td></tr>\n"; } echo "<tr><th>Fixed in Version</th><td>", $vun['fixedversion'], "</td></tr>\n"; echo "<tr><th>Fix</th><td>", $vun['fix'], "</td></tr>\n"; ?> </table> <p><a href="?offset=0">Return to Security Advisory Index</a></p> <?php } ?> </div> </div> </div> <?php include($_SERVER['DOCUMENT_ROOT'] . "/../inc/footer.inc"); ?>
