pidgin: Few security flaws

Debian Bug report logs - #488632
pidgin: Few security flaws

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pidgin: Few security flaws

Date: Mon, 30 Jun 2008 10:29:05 +0200

Package: pidgin
Severity: grave
Tags: security
Justification: user security hole

Hi

The following email came over the public security list:

There are three pidgin flaws that could use CVE ids.

http://marc.info/?l=bugtraq&m=121449329530282&w=4

And two here:
http://crisp.cs.du.edu/?q=ca2007-1

If you fix them, please upload with high urgency to unstable so that
it reaches testing soon. Since pidgin is often stalled in migration,
it would be good, if you could consider preparing a testing-security
upload.

Cheers
Steffen

Message #10 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Kai Wasserbäch <debian@carbon-project.org>

To: 488632@bugs.debian.org

Subject: Additional resource

Date: Mon, 30 Jun 2008 17:33:47 +0200

[Message part 1 (text/plain, inline)]

Hi,
Secunia reports [0] that the bug reported by Juan Pablo Lopez Yacubian on
Buqtraq is also present in 2.4.2.

Greetings,
Kai


[0] http://secunia.com/advisories/30881/



-- 

Kai Wasserbäch (Kai Wasserbaech)

E-Mail: debian@carbon-project.org
Jabber (debianforum.de): Drizzt
URL: http://wiki.debianforum.de/Drizzt_Do%27Urden
GnuPG: 0xE1DE59D2      0600 96CE F3C8 E733 E5B6 1587 A309 D76C E1DE 59D2
(http://pgpkeys.pca.dfn.de/pks/lookup?search=0xE1DE59D2&fingerprint=on&hash=on&op=vindex)

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 488632-close@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 488632-close@bugs.debian.org

Subject: Bug#488632: fixed in pidgin 2.4.3-1

Date: Wed, 02 Jul 2008 17:32:41 +0000

Source: pidgin
Source-Version: 2.4.3-1

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.4.3-1_all.deb
  to pool/main/p/pidgin/finch-dev_2.4.3-1_all.deb
finch_2.4.3-1_amd64.deb
  to pool/main/p/pidgin/finch_2.4.3-1_amd64.deb
libpurple-bin_2.4.3-1_all.deb
  to pool/main/p/pidgin/libpurple-bin_2.4.3-1_all.deb
libpurple-dev_2.4.3-1_all.deb
  to pool/main/p/pidgin/libpurple-dev_2.4.3-1_all.deb
libpurple0_2.4.3-1_amd64.deb
  to pool/main/p/pidgin/libpurple0_2.4.3-1_amd64.deb
pidgin-data_2.4.3-1_all.deb
  to pool/main/p/pidgin/pidgin-data_2.4.3-1_all.deb
pidgin-dbg_2.4.3-1_amd64.deb
  to pool/main/p/pidgin/pidgin-dbg_2.4.3-1_amd64.deb
pidgin-dev_2.4.3-1_all.deb
  to pool/main/p/pidgin/pidgin-dev_2.4.3-1_all.deb
pidgin_2.4.3-1.diff.gz
  to pool/main/p/pidgin/pidgin_2.4.3-1.diff.gz
pidgin_2.4.3-1.dsc
  to pool/main/p/pidgin/pidgin_2.4.3-1.dsc
pidgin_2.4.3-1_amd64.deb
  to pool/main/p/pidgin/pidgin_2.4.3-1_amd64.deb
pidgin_2.4.3.orig.tar.gz
  to pool/main/p/pidgin/pidgin_2.4.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Wed, 02 Jul 2008 10:44:14 -0400
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Robert McQueen <robot101@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 469863 484429 484750 488632 488852 488930
Changes: 
 pidgin (2.4.3-1) unstable; urgency=high
 .
   * New upstream release (Closes: #488930)
     - Fixes ICQ sign-on problems (Closes: #488852)
     - Fixes an MSN integer overflow security issue, CVE-2008-2927
       (Closes: #488632). The other issues referenced by that bug report
       are questionably problematic, and they aren't that serious.
   * Remove -fstack-protector since it just makes pidgin crash on arm(el).
     (Closes: #469863)
   * Remove bashism in debian/rules (Closes: #484429)
   * Remove Network Manager support again since it's still buggy and doesn't
     actually tell the user what's going on (Closes: #484750)
   * debian/patches/16_yahoo_icon_crash.patch:
     - Drop patch, integrated upstream
Checksums-Sha1: 
 59e9350c9a6da8dad120a725d38de1d487e5f122 1800 pidgin_2.4.3-1.dsc
 a4e484aa0748f4ce0ded791ad65ad96940ef7b27 13123610 pidgin_2.4.3.orig.tar.gz
 f9fa327043d7ff9ddde09f1a5f5192f901fd0b07 59023 pidgin_2.4.3-1.diff.gz
 00b6d4dfa07df8f1522966d0d90cf74fa5d54ece 7014696 pidgin-data_2.4.3-1_all.deb
 0d44d59fe2c661ca4e64137f91fddbc74fe4b0ab 193162 pidgin-dev_2.4.3-1_all.deb
 a7632ba2dc11bf3d8257e6be22cc2d20532db5d5 155378 finch-dev_2.4.3-1_all.deb
 49dc454232bec2f7294f68cf2f38e86401f2fe60 274512 libpurple-dev_2.4.3-1_all.deb
 09a1bde2e170334f34ed424fda4287b3dc2d2813 131564 libpurple-bin_2.4.3-1_all.deb
 a42b3485aa6f3e7ab27e6e9c00419616c46ec3b2 1710048 libpurple0_2.4.3-1_amd64.deb
 d883383249d45201942db00938f0804c90c94d4f 727320 pidgin_2.4.3-1_amd64.deb
 e44741600a7efcf85928f4ce68e8b0344605d5de 5722440 pidgin-dbg_2.4.3-1_amd64.deb
 a31ad723dbf7414f5084be8a64c33b945beef9ea 347528 finch_2.4.3-1_amd64.deb
Checksums-Sha256: 
 241a71196a5bb363325f996754bd8b385309ecdad335218bd5670b9d6bafc128 1800 pidgin_2.4.3-1.dsc
 74b85c40408bdade6727efb2817a7cb5afbeb1e311d7a74fe747dd3c9b03ff6f 13123610 pidgin_2.4.3.orig.tar.gz
 74fb8a13377123f19b41e7c866e23a9d3bfe959037e21ab0175521cc5225221e 59023 pidgin_2.4.3-1.diff.gz
 b0906cd8a2bf36ce1a523525e3f2c4198e3e316910f5faf6b9dc4b1cb0934032 7014696 pidgin-data_2.4.3-1_all.deb
 17805a17129fe42b67911772e2bd45fdd7bae82fa516d81b22ad05290543b2eb 193162 pidgin-dev_2.4.3-1_all.deb
 3d6a105b6196c1a42e6f367e7b03a0d933260dcfaa177345ad0f62fbdafa0580 155378 finch-dev_2.4.3-1_all.deb
 ad547cb0bda98c6fc6f1984933d91b67a75f030a49553ace74e101eb475f313a 274512 libpurple-dev_2.4.3-1_all.deb
 07d087f8df7644ee775bcbaa8fff67d9258c3d0d86c4da0ada94487626b35671 131564 libpurple-bin_2.4.3-1_all.deb
 4fab5b5e91c43e3630de649a604116b64449f9a22af26407e73a01d6bc79f71b 1710048 libpurple0_2.4.3-1_amd64.deb
 77da9345c7192dcc7a45f4d26589f5ee79e2306233fdf62cb35e1d8ce84946b3 727320 pidgin_2.4.3-1_amd64.deb
 bd78e4e7967f90f1e0458a6be3ca2b1d9842944c2d265587fb98966025b02d77 5722440 pidgin-dbg_2.4.3-1_amd64.deb
 45e15949a22c3fdad789a0efbcc60a971767f4ab78bc26a06069e93e8e64ac90 347528 finch_2.4.3-1_amd64.deb
Files: 
 5cfd2e82172d7a3a46342cf82f39148c 1800 net optional pidgin_2.4.3-1.dsc
 d0e0bd218fbc67df8b2eca2f21fcd427 13123610 net optional pidgin_2.4.3.orig.tar.gz
 117eee02a6cfe3cf2c69a82084f138d8 59023 net optional pidgin_2.4.3-1.diff.gz
 7f023e576795c7b35e96e30636784cf7 7014696 net optional pidgin-data_2.4.3-1_all.deb
 3b1837185c71a37964042c5a72ace647 193162 devel optional pidgin-dev_2.4.3-1_all.deb
 c72e4202334eec83e3bd69bd9e5f9fea 155378 devel optional finch-dev_2.4.3-1_all.deb
 d93c077df9e574b7060c24ef5e3a7627 274512 libdevel optional libpurple-dev_2.4.3-1_all.deb
 3cec5ad1d9a9ba4cc418666a067d830a 131564 net optional libpurple-bin_2.4.3-1_all.deb
 09b7f8a8816509ef0524aa740c37ccfb 1710048 net optional libpurple0_2.4.3-1_amd64.deb
 6690872e5042a00cb335ed338102948d 727320 net optional pidgin_2.4.3-1_amd64.deb
 acf326884c72f453f6a8ada4c93e93a4 5722440 net extra pidgin-dbg_2.4.3-1_amd64.deb
 83b4d7f4bf035241327e59ba4bb7e97d 347528 net optional finch_2.4.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIa7kawO+u47cOQDsRA+l2AJ9VONp/YOG4Ec42U9gEioZHm4y6fwCfd21c
DkDO5q1CiIAbmtyrHo9h+Eo=
=tpEi
-----END PGP SIGNATURE-----

Message #24 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 488632@bugs.debian.org

Subject: reopen and lower severity

Date: Fri, 4 Jul 2008 15:39:21 +0200

[Message part 1 (text/plain, inline)]

reopen 488632
severity 488632 normal
thanks

While I do agree that the remaining issues (CVE-2008-2957, CVE-2008-2956) are 
not RC bugs, I still believe they should be addressed. Thus, I reopened the 
bug and lowered the severity
to normal.

From what I've read, only people in the buddy list can trigger the arbitrary 
file download (CVE-2008-2957) and until now it is not clear what happens to 
the file, once it is downloaded. Therefore, it is only a bandwidth issue. The 
other issue (CVE-2008-2956) can only be exploited, when the client is 
connecting to a server that either does not check for malformed XML or send 
them. Therefore, it could (under certain circumstances) be used to perform a 
DoS. Now, we are still talking about a messanging client after all and thus 
the issues are not severe. Nonetheless, it would be interesting to find out, 
what happens to an arbitrary file, once it is downloaded.

Cheers
Steffen

P.S. Did you check the proposed patches[0][1] yet?

[0]: http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-upnp-limit-download.diff

[1]: http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-xmlnode-pool-leak.diff

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 488632@bugs.debian.org

Subject: Re: Bug#488632: reopen and lower severity

Date: Fri, 04 Jul 2008 10:35:39 -0400

Steffen Joeris wrote:
> P.S. Did you check the proposed patches[0][1] yet?

Upstream has still not made a decision about how to fix them, and I
don't want to apply a random patch that may or may not fix the issue
properly.

Message #36 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 488632@bugs.debian.org

Subject: Re: pidgin: Few security flaws

Date: Tue, 8 Jul 2008 11:11:48 +0200

[Message part 1 (text/plain, inline)]

Hi,
the only thing which is fixed in 2.4.3 so far is 
CVE-2008-2927 but none of the CVE ids included in the bug 
report are fixed from what I can see.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #41 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Tobias Klauser <tklauser@distanz.ch>

To: 488632@bugs.debian.org

Subject: Re: pidgin: Few security flaws

Date: Thu, 9 Oct 2008 22:03:30 +0200

Hi,

According to [1] at least CVE-2008-2957 has been fixed upstream in
version 2.5.0

The fix looks the same as the one from [2] in libpurple/upnp.c but
differs a bit in libpurple/util.c

Unfortunately the upstream SCM is currently down so I was not able to
exract the patch from there.

[1] http://www.pidgin.im/news/security/
[2] http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-upnp-limit-download.diff

Cheers, Tobias

Message #46 received at 488632@bugs.debian.org (full text, mbox, reply):

From: John Walsh <prower2000@gmail.com>

To: 488632@bugs.debian.org

Date: Sat, 08 Nov 2008 22:52:25 -0330

This seems like a fairly serious security bug to be left alone for
several months...is there anyone involved in maintaining pidgin working
on patching this?

Message #51 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: John Walsh <prower2000@gmail.com>, 488632@bugs.debian.org

Subject: Re: Bug#488632:

Date: Thu, 13 Nov 2008 12:23:15 -0500

CVE-2008-2956 is the only remaining bug that hasn't been fixed upstream.
It's not considered serious because of the reasons given earlier:

The other issue (CVE-2008-2956) can only be exploited, when the client
is connecting to a server that either does not check for malformed XML
or send them. Therefore, it could (under certain circumstances) be used
to perform a DoS.


On Sat, 2008-11-08 at 22:52 -0330, John Walsh wrote:
> This seems like a fairly serious security bug to be left alone for
> several months...is there anyone involved in maintaining pidgin working
> on patching this?
> 
> 
> 

Message #56 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ari Pollak <ari@debian.org>

Cc: 488632@bugs.debian.org

Subject: Re: Bug#488632:

Date: Fri, 18 Dec 2009 18:43:35 +0100

On Thu, Nov 13, 2008 at 12:23:15PM -0500, Ari Pollak wrote:
> CVE-2008-2956 is the only remaining bug that hasn't been fixed upstream.
> It's not considered serious because of the reasons given earlier:
> 
> The other issue (CVE-2008-2956) can only be exploited, when the client
> is connecting to a server that either does not check for malformed XML
> or send them. Therefore, it could (under certain circumstances) be used
> to perform a DoS.

Ari, could you check with upstream, whether this has been fixed by now?

Cheers,
        Moritz

Message #61 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 488632@bugs.debian.org

Subject: Re: Bug#488632:

Date: Fri, 18 Dec 2009 13:06:11 -0500

Moritz Muehlenhoff wrote:
> Ari, could you check with upstream, whether this has been fixed by now?

I'm pretty sure it's not fixed anywhere. I don't remember the exact 
reason why, but I think it had to do with either lack of a good exploit 
case, or lack of a proper fix.

Message #68 received at 488632@bugs.debian.org (full text, mbox, reply):

From: Mark Doliner <mark@kingant.net>

To: 488632@bugs.debian.org

Subject: Let's close this

Date: Sun, 13 Mar 2011 00:36:44 -0800

I'm a dev on the Pidgin project and I just looked at the original diff
from the CRISP advisory.  I wasn't able to find a flaw in the
libpurple source code.  If someone can point out exactly how the leak
happens, or provide a proof of concept XML file that demonstrates the
leak, I'll gladly look at it again.  Until then I vote for closing
this as invalid.

--Mark

Message #75 received at 488632-done@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 488632-done@bugs.debian.org

Date: Sun, 24 Feb 2013 13:15:35 -0500

Closing as invalid.

Send a report that this bug log contains spam.