Ubuntu
pidgin package

CVE-2009-2694: MSN overflow parsing SLP messages leads to remote vulnerability

Bug #415863 reported by Mathias Weyland
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Fix Released
Medium
Marc Deslauriers

Bug Description

Binary package hint: libpurple0

[1] Original posting: http://www.coresecurity.com/content/libpurple-arbitrary-write
[2] Pidgin Security Advisory: http://www.pidgin.im/news/security/?id=34

Quote from [1]:

" If the victim has its privacy settings set to "everyone can contact me", the victim is not required to be in the attacker's contact list. Otherwise that is the only requirement for exploitation and no other victim interaction is required. "

[1] claims that libpurple <= 2.5.8 is vulnerable and that the issue was fixed in libpurple >= 2.6.0 while [2] claims that it's fixed in 2.5.9.

Revision history for this message
Mathias Weyland (launchpad-weyland) wrote :

I checked the monotone repository. Patches seem to be:

http://developer.pidgin.im/viewmtn/revision/info/6f7343166c673bf0496ecb1afec9b633c1d54a0e
http://developer.pidgin.im/viewmtn/revision/info/0899f42c08f68d7811a5b0ebe68acd5b85eddc13

Regards, Matt

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the patches Matt. I'm working on this now.

Changed in pidgin (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Mathias Weyland (launchpad-weyland) wrote :

You are welcome. This may be of some help, too:

https://launchpad.net/~launchpad-weyland/+archive/pidgin-safe

There is an new patch in debian/patches/, the changes are trivial, though. I just had to deploy this ASAP because I did not know how long it would take for the official ubuntu packages. There are also rumours of a second CVE related to file transfers and the yahoo protocol but I have no clue about the details and there is no pidgin security advisory (yet?).

Regards, Matt

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is the second issue: http://developer.pidgin.im/ticket/9946

But, AFAICT, it doesn't affect the versions we carry.

Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.5.5-1ubuntu8.4

---------------
pidgin (1:2.5.5-1ubuntu8.4) jaunty-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted MSNSLP packet
    (LP: #415863)
    - debian/patches/78_security_CVE-2009-2694.patch: properly destroy
      slpmsg in libpurple/protocols/{msn,msnp9}/slplink.c.
    - CVE-2009-2694

 -- Marc Deslauriers <email address hidden> Wed, 19 Aug 2009 12:49:11 -0400

Changed in pidgin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.