CVE-2009-2694: MSN overflow parsing SLP messages leads to remote vulnerability

Bug #415863 reported by Mathias Weyland on 2009-08-19
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Medium
Marc Deslauriers

Bug Description

Binary package hint: libpurple0

[1] Original posting: http://www.coresecurity.com/content/libpurple-arbitrary-write
[2] Pidgin Security Advisory: http://www.pidgin.im/news/security/?id=34

Quote from [1]:

" If the victim has its privacy settings set to "everyone can contact me", the victim is not required to be in the attacker's contact list. Otherwise that is the only requirement for exploitation and no other victim interaction is required. "

[1] claims that libpurple <= 2.5.8 is vulnerable and that the issue was fixed in libpurple >= 2.6.0 while [2] claims that it's fixed in 2.5.9.

Marc Deslauriers (mdeslaur) wrote :

Thanks for the patches Matt. I'm working on this now.

Changed in pidgin (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)

You are welcome. This may be of some help, too:

https://launchpad.net/~launchpad-weyland/+archive/pidgin-safe

There is an new patch in debian/patches/, the changes are trivial, though. I just had to deploy this ASAP because I did not know how long it would take for the official ubuntu packages. There are also rumours of a second CVE related to file transfers and the yahoo protocol but I have no clue about the details and there is no pidgin security advisory (yet?).

Regards, Matt

Marc Deslauriers (mdeslaur) wrote :

This is the second issue: http://developer.pidgin.im/ticket/9946

But, AFAICT, it doesn't affect the versions we carry.

visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.5.5-1ubuntu8.4

---------------
pidgin (1:2.5.5-1ubuntu8.4) jaunty-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted MSNSLP packet
    (LP: #415863)
    - debian/patches/78_security_CVE-2009-2694.patch: properly destroy
      slpmsg in libpurple/protocols/{msn,msnp9}/slplink.c.
    - CVE-2009-2694

 -- Marc Deslauriers <email address hidden> Wed, 19 Aug 2009 12:49:11 -0400

Changed in pidgin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.