Bug 9064 - pidgin new security issues CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
: pidgin new security issues CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/538116/
: has_procedure MGA2-64-OK mga2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-13 17:10 CET by Oden Eriksson
Modified: 2013-02-21 21:55 CET (History)
4 users (show)

See Also:
Source RPM: pidgin-2.10.6-1.mga2.src.rpm
CVE:


Attachments

Description Oden Eriksson 2013-02-13 17:10:51 CET
*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00
PST, 10:00 EST, 15:00 UTC ***

Hello Pidgin packagers!

I'm sorry to inform you that we're disclosing some security
vulnerabilities in Pidgin and libpurple.  We're releasing Pidgin
2.10.7 this Wednesday (2 and a half days from now) with fixes.  These
issues were all found by static code analysis and not by actual
crashes.  We do not have repo steps for any of them, however we DO
believe they are all remotely triggerable.  The vulnerabilities are:

CVE-2013-0271, discovered by Chris Wysopal, Veracode.
Remote MXit user could specify local file path.
The MXit protocol plugin saves an image to local disk using a filename
that could potentially be partially specified by the IM server or by a
remote user.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=65 after the embargo date.

CVE-2013-0272, discovered by Coverity static analysis.
MXit buffer overflow reading data from network.
The code did not respect the size of the buffer when parsing HTTP
headers, and a malicious server or man-in-the-middle could send
specially crafted data that could overflow the buffer.  This could
lead to a crash or remote code execution.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=66 after the embargo date.

CVE-2013-0273, discovered by Coverity static analysis.
Sametime crash with long user IDs.
libpurple failed to null-terminate user IDs that were longer than 4096
bytes.  It's plausible that a malicious server could send one of these
to us, which would lead to a crash.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=67 after the embargo date.

CVE-2013-0274, discovered by Coverity static analysis.
Crash when receiving a UPnP response with abnormally long values.
libpurple failed to null-terminate some strings when parsing the
response from a UPnP router.  This could lead to a crash if a
malicious user on your network responds with a specially crafted
message.
Information about this issue will be posted at
http://pidgin.im/news/security/?id=68 after the embargo date.

You can download patches and the 2.10.7 release from here:
http://pidgin.im/~markdoliner/aiofFj4se2E9I/
These files are not public!  Please do not distribute them to
end-users until after the embargo (Wednesday 2013-02-13 at 07:00 PST,
10:00 EST, 15:00 UTC).

In addition to the above, we made a change to account for a changed
SSL certificate on some MSN servers.  If your build of Pidgin uses
your own system-wide CA certificate directory then you don't need to
do anything.  If your build of Pidgin installs our bundled CA certs
then I blieve you'll need to patch in this change in order for users
to be able to login to MSN:
http://hg.pidgin.im/pidgin/main/rev/673056a91e3b

Thanks, and please let me know if you have any problems or questions,
Mark

*** The contents of this email are sensitive!  Please do not share
publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00
PST, 10:00 EST, 15:00 UTC ***
Comment 1 Oden Eriksson 2013-02-13 17:13:56 CET
2.10.7 has been submitted to mga2. someone has to submit it to cauldron.
Comment 2 David Walser 2013-02-13 20:25:41 CET
You do realize that I don't see these bugs unless you CC me, or I just happen to go looking for them?

Checking that it builds now in Cauldron, then I'll request the freeze push.

Thanks.
Comment 3 Oden Eriksson 2013-02-14 11:00:20 CET
Instead there should be a new secteam@mageia.org "user" in bugzilla added. This email address points to a mailman gpg encrypted mailinglist where certain secteam members are subscribed.

To me as a mageia "newbie" it's painful to reassign bugs as mageia does not seem to use a common name standard like "David Walser <dwalser@mageia.org". E-mail addresses in rpm changelogs are cloaked. Irc nicknames are cloaked, inconsistent and/or incomplete (no info attached).
Comment 4 David Walser 2013-02-14 18:30:25 CET
Segfault reported by Simon (Bug 9075) fixed and package rebuilt.

Assigning to QA.

Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

Remote MXit user could specify local file path in Pidgin before 2.10.7.
The MXit protocol plugin saves an image to local disk using a filename
that could potentially be partially specified by the IM server or by a
remote user (CVE-2013-0271).

MXit buffer overflow reading data from network in Pidgin before 2.10.7.
The code did not respect the size of the buffer when parsing HTTP
headers, and a malicious server or man-in-the-middle could send
specially crafted data that could overflow the buffer.  This could
lead to a crash or remote code execution (CVE-2013-0272).

Sametime crash with long user IDs in Pidgin before 2.10.7.  libpurple
failed to null-terminate user IDs that were longer than 4096 bytes.
It's plausible that a malicious server could send one of these to us,
which would lead to a crash (CVE-2013-0273).

Crash when receiving a UPnP response with abnormally long values in
Pidgin before 2.10.7.  libpurple failed to null-terminate some strings
when parsing the response from a UPnP router.  This could lead to a
crash if a malicious user on your network responds with a specially
crafted message (CVE-2013-0274).

Pidgin has been updated to 2.10.7, which fixes these and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://pidgin.im/news/security/?id=65
http://pidgin.im/news/security/?id=66
http://pidgin.im/news/security/?id=67
http://pidgin.im/news/security/?id=68
https://developer.pidgin.im/wiki/ChangeLog
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.7-1.1.mga2
pidgin-plugins-2.10.7-1.1.mga2
pidgin-perl-2.10.7-1.1.mga2
pidgin-tcl-2.10.7-1.1.mga2
pidgin-silc-2.10.7-1.1.mga2
libpurple-devel-2.10.7-1.1.mga2
libpurple0-2.10.7-1.1.mga2
libfinch0-2.10.7-1.1.mga2
finch-2.10.7-1.1.mga2
pidgin-bonjour-2.10.7-1.1.mga2
pidgin-meanwhile-2.10.7-1.1.mga2
pidgin-client-2.10.7-1.1.mga2
pidgin-i18n-2.10.7-1.1.mga2

from pidgin-2.10.7-1.1.mga2.src.rpm
Comment 5 Bill Wilkinson 2013-02-17 23:17:51 CET
No POC.  Connected to yahoo, IRC and ICQ and facebook chat.

Appicon does not show up in KDE4 task bar, but that's probably minor with the systray icon anyway.

MGA2-64 OK
Comment 6 claire robinson 2013-02-18 12:12:54 CET
Testing complete mga2 32

Well done Bill, thankyou. Keep doing what you're doing :)
Connected WLM & IRC

Validating

Advisory & srpm in comment 4

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 7 Thomas Backlund 2013-02-21 21:55:37 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0058

Note You need to log in before you can comment on or make changes to this bug.