I received this security report today from SecurityMetrics that has
some interesting things to be aware of in libpurple... (They are
marked as "Pidgin" issues, but most are protocol level items which may
apply to anyone using libPurple)
October 23, 2009
2009-10-23: Pidgin 'msn_slplink_process_msg()' NULL Pointer
Dereference Remote Code Execution Vulnerability Attackers can exploit
this issue to execute arbitrary code in the context of an affected
application. Failed attacks may cause a denial-of-service condition.
http://www.securityfocus.com/bid/36071
October 23, 2009
2009-10-23: Pidgin 'protocols/jabber/auth.c' JABBER Server XMPP
Specifications Man In The Middle Vulnerability Attackers can exploit
this issue to sniff instant-messaging sessions and obtain potentially
sensitive information.
http://www.securityfocus.com/bid/36368
October 23, 2009
2009-10-23: Pidgin Multiple Buffer Overflow Vulnerabilities Successful
exploits may allow attackers to execute arbitrary code with the
privileges of a user running the software or cause denial-of-service
conditions.
http://www.securityfocus.com/bid/35067
October 23, 2009
2009-10-23: Pidgin OSCAR Protocol Web Message Denial of Service
Vulnerability Successful exploits will cause the affected application
to crash, effectively denying service to legitimate users.
http://www.securityfocus.com/bid/35530
October 22, 2009
T-256: Pidgin OSCAR Plugin Invalid Memory Access Denial Of Service
Vulnerability Attackers can exploit this issue to cause denial-of-
service conditions. Given the nature of these issues, attackers may
also be able to run arbitrary code, but this has not been confirmed. A
remote attacker could exploit this issue to cause denial-of-service
conditions. This risk is medium.
http://www.doecirc.energy.gov/bulletins/t-256.shtml
- Alan
______
Alan Humpherys
Adium Development Team
ala...@adium.im
http://www.adium.im
