Bug 18754 - pidgin several new security issues fixed in MXit protocol plugin in 2.11.0
Summary: pidgin several new security issues fixed in MXit protocol plugin in 2.11.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692851/
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks: 18867
  Show dependency treegraph
 
Reported: 2016-06-21 17:13 CEST by David Walser
Modified: 2016-07-05 19:06 CEST (History)
3 users (show)

See Also:
Source RPM: pidgin-2.10.11-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-06-21 17:13:22 CEST 
Pidgin 2.11.0 has been released today (June 21):
https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog?fileviewer=file-view-default

Shlomi has already updated it in Cauldron.

It fixes several security issues in the MXit protocol plugin, as well as fixing authentication for the AIM protocol which has been broken for quite some time now.
Comment 1 Shlomi Fish 2016-06-21 18:35:04 CEST 
Thanks! pidgin 2.11.0 was submitted to the build system for mageia5 core/updates_testing. Now to prepare an advisory.
Comment 2 David Walser 2016-06-21 20:05:36 CEST 
Thanks!  It's so nice to finally be able to connect to AIM again.

Tested fine on Mageia 5 i586 with AIM, Yahoo!, and XMPP (Google) accounts.

Whiteboard: (none) => MGA5-32-OK

Comment 3 David Walser 2016-06-22 20:38:56 CEST 
Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

A buffer overflows vulnerability exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT data sent from the server could potentially
result in arbitrary code execution. A malicious server or an attacker who
intercepts the network traffic can send an invalid size for a packet which
will trigger a buffer overflow (CVE-2016-2376).

A buffer vulnerability exists in the handling of the MXIT protocol in Pidgin.
Specially crafted MXIT data sent by the server could potentially result in an
out of bounds write of one byte. A malicious server can send a negative
content-length in response to a HTTP request triggering the vulnerability
(CVE-2016-2377).

A buffer overflow vulnerability exists in the handling of the MXIT protocol
Pidgin. Specially crafted data sent via the server could potentially result
in a buffer overflow, potentially resulting in memory corruption. A malicious
server or an unfiltered malicious user can send negative length values to
trigger this vulnerability (CVE-2016-2378).

An information leak exists in the handling of the MXIT protocol in Pidgin.
Specially crafted MXIT data sent to the server could potentially result in an
out of bounds read. A user could be convinced to enter a particular string
which would then get converted incorrectly and could lead to a potential
out-of-bounds read (CVE-2016-2380).

A directory traversal exists in the handling of the MXIT protocol in Pidgin.
Specially crafted MXIT data sent from the server could potentially result in
an overwrite of files. A malicious server or someone with access to the
network traffic can provide an invalid filename for a splash image triggering
the vulnerability (CVE-2016-4323).

A denial of service vulnerability exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT data sent via the server could potentially
result in a null pointer dereference. A malicious server or an attacker who
intercepts the network traffic can send invalid data to trigger this
vulnerability and cause a crash (CVE-2016-2365).

A denial of service vulnerability exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT data sent via the server could potentially
result in an out-of-bounds read. A malicious server or an attacker who
intercepts the network traffic can send invalid data to trigger this
vulnerability and cause a crash (CVE-2016-2366).

An information leak exists in the handling of the MXIT protocol in Pidgin.
Specially crafted MXIT data sent via the server could potentially result in
an out of bounds read. A malicious user, server, or man-in-the-middle can
send an invalid size for an avatar which will trigger an out-of-bounds read
vulnerability. This could result in a denial of service or copy data from
memory to the file, resulting in an information leak if the avatar is sent to
another user (CVE-2016-2367).

Multiple memory corruption vulnerabilities exist in the handling of the MXIT
protocol in Pidgin. Specially crafted MXIT data sent via the server could
result in multiple buffer overflows, potentially resulting in code execution
or memory disclosure (CVE-2016-2368).

An NULL pointer dereference vulnerability exists in the handling of the MXIT
protocol in Pidgin. Specially crafted MXIT data sent via the server could
potentially result in a denial of service vulnerability. A malicious server
can send a packet starting with a NULL byte triggering the vulnerability
(CVE-2016-2369).

A denial of service vulnerability exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT data sent from the server could potentially
result in an out-of-bounds read. A malicious server or man-in-the-middle can
send invalid data to trigger this vulnerability (CVE-2016-2370).

An out-of-bounds write vulnerability exists in the handling of the MXIT
protocol in Pidgin. Specially crafted MXIT data sent via the server could
cause memory corruption resulting in code execution (CVE-2016-2371).

An information leak exists in the handling of the MXIT protocol in Pidgin.
Specially crafted MXIT data sent via the server could potentially result in
an out of bounds read. A malicious user, server, or man-in-the-middle can
send an invalid size for a file transfer which will trigger an out-of-bounds
read vulnerability. This could result in a denial of service or copy data
from memory to the file, resulting in an information leak if the file is
sent to another user (CVE-2016-2372).

A denial of service vulnerability exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT data sent via the server could potentially
result in an out-of-bounds read. A malicious server or user can send an
invalid mood to trigger this vulnerability (CVE-2016-2373).

An exploitable memory corruption vulnerability exists in the handling of the
MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the
server can result in an out-of-bounds write leading to memory disclosure and
code execution (CVE-2016-2374).

An exploitable out-of-bounds ready exists in the handling of the MXIT protocol
in Pidgin. Specially crafted MXIT contact information sent from the server can
result in memory disclosure (CVE-2016-2375).

The pidgin package has been updated to version 2.11.0, which fixes these issues
and other bugs, including authentication for the AIM protocol.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2375
http://www.talosintel.com/reports/TALOS-2016-0118
http://www.talosintel.com/reports/TALOS-2016-0119
http://www.talosintel.com/reports/TALOS-2016-0120
http://www.talosintel.com/reports/TALOS-2016-0123
http://www.talosintel.com/reports/TALOS-2016-0128
http://www.talosintel.com/reports/TALOS-2016-0133
http://www.talosintel.com/reports/TALOS-2016-0134
http://www.talosintel.com/reports/TALOS-2016-0135
http://www.talosintel.com/reports/TALOS-2016-0136
http://www.talosintel.com/reports/TALOS-2016-0137
http://www.talosintel.com/reports/TALOS-2016-0138
http://www.talosintel.com/reports/TALOS-2016-0139
http://www.talosintel.com/reports/TALOS-2016-0140
http://www.talosintel.com/reports/TALOS-2016-0141
http://www.talosintel.com/reports/TALOS-2016-0142
http://www.talosintel.com/reports/TALOS-2016-0143
https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog?fileviewer=file-view-default
========================

Updated packages in core/updates_testing:
========================
pidgin-2.11.0-1.mga5
pidgin-plugins-2.11.0-1.mga5
pidgin-perl-2.11.0-1.mga5
pidgin-tcl-2.11.0-1.mga5
pidgin-silc-2.11.0-1.mga5
libpurple-devel-2.11.0-1.mga5
libpurple0-2.11.0-1.mga5
libfinch0-2.11.0-1.mga5
finch-2.11.0-1.mga5
pidgin-bonjour-2.11.0-1.mga5
pidgin-meanwhile-2.11.0-1.mga5
pidgin-client-2.11.0-1.mga5
pidgin-i18n-2.11.0-1.mga5

from pidgin-2.11.0-1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

David Walser 2016-06-28 00:15:39 CEST

URL: (none) => http://lwn.net/Vulnerabilities/692851/

Dave Hodgins 2016-07-05 16:30:58 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-07-05 17:48:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0236.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Frédéric "LpSolit" Buclin 2016-07-05 19:06:42 CEST

Blocks: (none) => 18867
Note You need to log in before you can comment on or make changes to this bug.