Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394239 (CVE-2011-4601) - <net-im/pidgin-2.10.1 DoS (CVE-2011-{4601,4602,4603})
Summary: <net-im/pidgin-2.10.1 DoS (CVE-2011-{4601,4602,4603})
Status: RESOLVED FIXED
Alias: CVE-2011-4601
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-10 12:50 UTC by Agostino Sarubbo
Modified: 2012-03-06 01:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-10 12:50:04 UTC 
From oss-security ML at $URL:

Description:
This is a remotely-triggerable crash in the oscar protocol (used by
the AIM and ICQ plugins) when handling incoming buddy list-related
SNACs.

Solution:
Fixed in 2.10.1 (not yet released)
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-12-12 18:30:29 UTC 
2.10.1 is in tree. Arch teams, please, test it and stabilize.
=net-im/pidgin-2.10.1
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2011-12-12 20:02:12 UTC 
Also CVE-2011-4603 (http://pidgin.im/news/security/?id=59):

Title	SILC remote crash
Date	2011-09-29
CVE Name	CVE-2011-4603
Discovered By	Diego Bauche Madero from IOActive
Description	When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash. This vulnerability is similar to CVE-2011-3594, but occurs in a different piece of code and was fixed at a later date.
Fixed in Revision	afb9ede3de989f217f03d5670cca00e628bd11f1
Fixed in Version	2.10.1
Fix	Validate incoming strings as UTF-8 before using them as such.
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-12 22:38:12 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-13 15:05:47 UTC 
Stable for HPPA.
Comment 5 Myckel Habets 2011-12-17 06:34:23 UTC 
Builds and runs fine for x86. Please mark stable for x86.
Comment 6 Agostino Sarubbo gentoo-dev 2011-12-17 17:43:11 UTC 
x86 stable, thanks Myckel
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-12-18 16:10:47 UTC 
alpha/ia64/sparc stable and arm is not stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-12-20 00:06:07 UTC 
CVE-2011-4603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4603):
  The silc_channel_message function in ops.c in the SILC protocol plugin in
  libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8
  validation on message data, which allows remote attackers to cause a denial
  of service (application crash) via a crafted message, a different
  vulnerability than CVE-2011-3594.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-12-20 00:07:27 UTC 
CVE-2011-4602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4602):
  The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not
  properly handle missing fields in (1) voice-chat and (2) video-chat stanzas,
  which allows remote attackers to cause a denial of service (application
  crash) via a crafted message.
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2011-12-27 00:44:36 UTC 
ppc/ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-12-27 05:21:47 UTC 
Thanks, everyone. GLSA Vote: no.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:26:45 UTC 
CVE-2011-4601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4601):
  family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before
  2.10.1 does not perform the expected UTF-8 validation on message data, which
  allows remote attackers to cause a denial of service (application crash) via
  a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:19:30 UTC 
Vote: No. Closing noglsa.