Launchpad has imported 7 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=514957.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2009-07-31T16:22:16+00:00 Tomas wrote: Core Security Technologies reported that previous upstream fixes addressing insufficient input validation flaw in pidgin / libpurple in function msn_slplink_process_msg() are inefficient and can be bypassed. This flaw allows an attacker to overwrite pidgin's memory and possibly execute arbitrary code with the privileges of the user running application using libpurple. This issue was previously tracked as CVE-2008-2927 (bug #453764) and CVE-2009-1376 (bug #500493, incomplete fix). Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/0 ------------------------------------------------------------------------ On 2009-08-13T12:31:56+00:00 Tomas wrote: Mitigation: Users can lower the impact of this flaw by making sure their privacy settings only allow Pidgin to accept messages from the users on their buddy list. This will prevent exploitation of this flaw by other random MSN users. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/1 ------------------------------------------------------------------------ On 2009-08-13T12:39:01+00:00 Tomas wrote: Technically, this is not really an incomplete fix of the previous integer overflow issues, rather a new issue affecting same code part as previous issues. In the new attack, attacker aims to exploit a NULL pointer dereference flaw. This is achieved by sending message with non-0 offset. When such message is processed in msn_slplink_process_msg(), msn_slplink_message_find() is called to find previous parts of the message sent within the same session. With specially crafted previous messages, msn_slplink_message_find() may return a structure for ACK message, rather than request message, that later triggers NULL pointer dereference in: memcpy(slpmsg->buffer + offset, data, len); In ACK message, slpmsg->buffer is NULL and attacker supplied offset can be used to control what memory area will be overwritten. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/2 ------------------------------------------------------------------------ On 2009-08-18T17:21:56+00:00 Josh wrote: This is now public: http://developer.pidgin.im/viewmtn/revision/info/6f7343166c673bf0496ecb1afec9b633c1d54a0e Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/3 ------------------------------------------------------------------------ On 2009-08-18T18:00:57+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1218 https://rhn.redhat.com/errata/RHSA-2009-1218.html Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/4 ------------------------------------------------------------------------ On 2009-08-21T08:58:49+00:00 Jan wrote: MITRE's CVE-2009-2694 record: ----------------------------- The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376. References: ----------- http://www.coresecurity.com/content/libpurple-arbitrary-write http://developer.pidgin.im/viewmtn/revision/info/6f7343166c673bf0496ecb1afec9b633c1d54a0e http://developer.pidgin.im/wiki/ChangeLog http://www.pidgin.im/news/security/?id=34 http://secunia.com/advisories/36384 http://secunia.com/advisories/36392 http://secunia.com/advisories/36401 http://www.vupen.com/english/advisories/2009/2303 Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/9 ------------------------------------------------------------------------ On 2009-08-24T07:32:28+00:00 Tomas wrote: All current Fedora versions are now updated to 2.6.0+ too. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/416306/comments/10 ** Changed in: pidgin (Fedora) Importance: Unknown => Critical ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2927 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1376 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pidgin in Ubuntu. https://bugs.launchpad.net/bugs/416306 Title: CVE-2009-2694 Security vulnerability in pidgin < 2.5.9 Status in Pidgin: Fix Released Status in pidgin package in Ubuntu: Fix Released Status in pidgin package in Debian: Fix Released Status in pidgin package in Fedora: Fix Released Status in pidgin package in Gentoo Linux: Fix Released Bug description: Binary package hint: pidgin Pidgin <= 2.5.8 is vulnerable to a remote MSN bug. Specially crafted SLP messages can cause a buffer overflow and allow a remote attacker to execute code on the system running pidgin. This does not require the attacker to be on the list of the pidgin user. This is caused by a problem in libpurple <= 2.5.8. More information can be found on: http://www.pidgin.im/news/security/?id=34 http://www.coresecurity.com/content/libpurple-arbitrary-write http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694 To manage notifications about this bug go to: https://bugs.launchpad.net/pidgin/+bug/416306/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
