Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 342059 (CVE-2010-3711) - <net-im/pidgin-2.7.4: Remote Denial of Service Vulnerabilities (CVE-2010-3711)
Summary: <net-im/pidgin-2.7.4: Remote Denial of Service Vulnerabilities (CVE-2010-3711)
Status: RESOLVED FIXED
Alias: CVE-2010-3711
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://pidgin.im/news/security/?id=48
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 342017
Blocks:
  Show dependency tree
 
Reported: 2010-10-21 19:36 UTC by Tim Sammut (RETIRED)
Modified: 2011-01-03 20:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-21 19:36:16 UTC 
From $URL:

Title	
purple_base64_decode() remote crashes

CVE Name	
CVE-2010-3711

Discovered By	
Daniel Atallah

Summary	
Multiple remotely-triggered denials of service
Description	It has been discovered that eight denial of service conditions exist in libpurple all due to insufficient validation of the return value from purple_base64_decode(). Invalid or malformed data received in place of a valid base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP protocol plugins and the NTLM authentication support trigger a crash. These vulnerabilities can be leveraged by a remote user for denial of service.

Fixed in Revision	b01c6a1f7fe4d86b83f5f10917b3cb713989cfcc
Fixed in Version	2.7.4
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2010-10-25 10:59:14 UTC 
New version was just added to the tree. Arch teams, please, go ahead.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-25 13:45:52 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2010-10-25 17:08:27 UTC 
good on amd64.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-10-25 20:35:25 UTC 
amd64 done. Thanks Agostino
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-26 09:39:32 UTC 
Stable for HPPA.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-26 13:45:06 UTC 
Stable for PPC.
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2010-10-29 21:46:56 UTC 
ppc64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-10-30 18:05:02 UTC 
alpha/ia64/sparc stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2010-10-30 18:37:36 UTC 
Thanks, folks.

GLSA Vote: Yes, unauthenticated remote DoS in popular client software.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:55:06 UTC 
Vote: NO. Client DoS only.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:56:10 UTC 
Client crash is hardly a security issue so GLSA Vote: no -> Closing. Feel free to reopen if you disagree.