Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 04 Oct 2011 14:02:09 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: security@...gin.im
Subject: Re: libpurple vulnerability disclosure and fix

Please use CVE-2011-3594.

Thanks.

-- 
    JB


----- Original Message -----
> Hello all,
> 
> A libpurple vulnerability was made known to the Pidgin developers via
> our public bug tracker which affects the SILC protocol plugin and all
> software which uses SILC via libpurple.  The original identification
> of the vulnerability and bug report was made by Diego Bauche Madero
> from IOActive <diego.madero@...ctive.com>, and can be seen on the
> Pidgin bug tracker as Bug #14636:
> 
>     http://developer.pidgin.im/ticket/14636
> 
> The vulnerability lies in calling g_markup_escape_text() on strings
> which have not been verified as valid UTF-8.  This function is not
> required to do anything reasonable with invalid UTF-8, and indeed
> reads past the end of the string and will eventually segfault for
> certain sequences in some versions of Glib 2.  Because the behavior
> of
> this function is undefined, and depends on the particular version of
> Glib 2 in use, the complete ramifications of this bug are unknown.
> Remote crashing of a libpurple client by untrusted users via
> specifically crafted SILC messages is a verified vulnerability.
> 
> This bug is believed to affect all releases of libpurple up to and
> including version 2.10.0.
> 
> The correct fix for this bug is UTF-8 validation (and correction if
> necessary) of the incoming string before passing it to Glib.  A patch
> which provides this fix has been applied to the Pidgin sources in
> revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
> all future Pidgin releases.  For reference, it is:
> 
>     http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
> 
> All packagers of libpurple (including monolithic Pidgin and/or finch
> packages) who have not already done so are encouraged to apply this
> change to their packages immediately.
> 
> We would also like to request a CVE number for this issue.
> 
> Any sensitive follow-ups to this issue, or any other Pidgin, finch,
> or
> libpurple issue, may be directed to security@...gin.im.
> 
> Thank you,
> Ethan
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.