On Fri, Oct 23, 2009 at 15:51, Alan Humpherys <ala...@adium.im> wrote:
> I received this security report today from SecurityMetrics that has some > interesting things to be aware of in libpurple... (They are marked as > "Pidgin" issues, but most are protocol level items which may apply to anyone > using libPurple) > Almost all of these are really old… just look at the "affected version" numbers. 1.3.6/7 have 2.5.8, 1.4.x is 2.6.x, and some of them mention the fixed Adium versions, too. > October 23, 2009 > 2009-10-23: Pidgin 'msn_slplink_process_msg()' NULL Pointer Dereference > Remote Code Execution Vulnerability Attackers can exploit this issue to > execute arbitrary code in the context of an affected application. Failed > attacks may cause a denial-of-service condition. > http://www.securityfocus.com/bid/36071 > > Fixed in stable Adium. > October 23, 2009 > 2009-10-23: Pidgin 'protocols/jabber/auth.c' JABBER Server XMPP > Specifications Man In The Middle Vulnerability Attackers can exploit this > issue to sniff instant-messaging sessions and obtain potentially sensitive > information. > http://www.securityfocus.com/bid/36368 > Fixed in 1.4. > > October 23, 2009 > 2009-10-23: Pidgin Multiple Buffer Overflow Vulnerabilities Successful > exploits may allow attackers to execute arbitrary code with the privileges > of a user running the software or cause denial-of-service conditions. > http://www.securityfocus.com/bid/35067 > Fixed in stable Adium. > > October 23, 2009 > 2009-10-23: Pidgin OSCAR Protocol Web Message Denial of Service > Vulnerability Successful exploits will cause the affected application to > crash, effectively denying service to legitimate users. > http://www.securityfocus.com/bid/35530 > Fixed in stable Adium. > > October 22, 2009 > T-256: Pidgin OSCAR Plugin Invalid Memory Access Denial Of Service > Vulnerability Attackers can exploit this issue to cause denial-of-service > conditions. Given the nature of these issues, attackers may also be able to > run arbitrary code, but this has not been confirmed. A remote attacker could > exploit this issue to cause denial-of-service conditions. This risk is > medium. > http://www.doecirc.energy.gov/bulletins/t-256.shtml > Fixed in stable Adium. -- Zachary West
