Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457580 (CVE-2013-0271) - <net-im/pidgin-2.10.7: Multiple Vulnerabilities (CVE-2013-{0271,0272,0273,0274})
Summary: <net-im/pidgin-2.10.7: Multiple Vulnerabilities (CVE-2013-{0271,0272,0273,0274})
Status: RESOLVED FIXED
Alias: CVE-2013-0271
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52178/
Whiteboard: B1 [glsa]
Keywords:
: 458304 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-02-14 18:57 UTC by Agostino Sarubbo
Modified: 2014-05-18 17:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-14 18:57:55 UTC
From ${URL} :

Description
Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to manipulate certain data, cause a DoS (Denial of Service), and 
compromise a user's system.

1) An error within the MXit protocol plugin when saving images can be exploited to overwrite certain files.

2) A boundary error within the "mxit_cb_http_read()" function (libpurple/protocols/mxit/http.c) when parsing incoming HTTP headers can be exploited to cause a stack-based 
buffer overflow via a specially crafted HTTP header.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

3) An error within the "mw_prpl_normalize()" function (libpurple/protocols/sametime/sametime.c) when handling user ID longer than 4096 bytes can be exploited to cause a 
crash.

4) Some errors within the "upnp_parse_description_cb()", "purple_upnp_discover_send_broadcast()", "looked_up_public_ip_cb()", "looked_up_internal_ip_cb()", 
"purple_upnp_set_port_mapping()", and "purple_upnp_remove_port_mapping()" functions (libpurple/upnp.c) when handling UPnP requests can be exploited to cause crashes.

The vulnerabilities are reported in version 2.10.6. Prior versions may also be affected.


Solution
Update to version 2.10.7.

Provided and/or discovered by
The vendor credits:
1) Chris Wysopal, Veracode
2, 3, 4) Coverity static analysis

Original Advisory
Pidgin:
http://www.pidgin.im/news/security/?id=65
http://www.pidgin.im/news/security/?id=66
http://www.pidgin.im/news/security/?id=67
http://www.pidgin.im/news/security/?id=68
Comment 1 Agostino Sarubbo gentoo-dev 2013-02-19 15:10:13 UTC
*** Bug 458304 has been marked as a duplicate of this bug. ***
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2013-03-02 16:00:45 UTC
Renaming the ebuild works well for me. I've added a patch that is already included in upstream's vcs to prevent a crash caused by a plugin. https://git.overlays.gentoo.org/gitweb/?p=user/mrueg.git;a=tree;f=net-im/pidgin;hb=HEAD
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:22:21 UTC
CVE-2013-0274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0274):
  upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long
  strings in UPnP responses, which allows remote attackers to cause a denial
  of service (application crash) by leveraging access to the local network.

CVE-2013-0273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0273):
  sametime.c in the Sametime protocol plugin in libpurple in Pidgin before
  2.10.7 does not properly terminate long user IDs, which allows remote
  servers to cause a denial of service (application crash) via a crafted
  packet.

CVE-2013-0272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0272):
  Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin
  before 2.10.7 allows remote servers to execute arbitrary code via a long
  HTTP header.

CVE-2013-0271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0271):
  The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow
  remote attackers to create or overwrite files via a crafted (1) mxit or (2)
  mxit/imagestrips pathname.
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-03-11 13:22:04 UTC
+*pidgin-2.10.7 (11 Mar 2013)
+
+  11 Mar 2013; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.7.ebuild,
+  +files/pidgin-2.10.7-fix-cap.patch:
+  Non-maintainer commit: Security bump (bug #457580). Thanks to Manuel Rüger
+  for making us aware of a needed patch.
+
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-11 13:26:00 UTC
Arches, please test and mark stable:
=net-im/pidgin-2.10.7
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 6 Joakim Tjernlund 2013-03-11 15:47:24 UTC
You missed Manuel latest addition to the ebuild:
   epatch_user
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-12 09:53:21 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-12 10:07:11 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-12 15:37:04 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-12 18:31:34 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-13 11:23:42 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-14 06:52:42 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-14 07:47:42 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-14 12:43:23 UTC
sparc stable
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-17 15:55:00 UTC
New GLSA request filed.
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-03-18 09:17:34 UTC
For the record. I've revbumped pidgin due to bug #461530 and comitted that revision straight to stable. So if you push out the GLSA you might want to reference to net-im/pidgin-2.10.7-r1
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:50:26 UTC
This issue was resolved and addressed in
 GLSA 201405-22 at http://security.gentoo.org/glsa/glsa-201405-22.xml
by GLSA coordinator Sean Amoss (ackle).