Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-143: Pidgin Multiple Buffer Overflow Vulnerabilities

[CVE-2009-1373 Thru CVE-2009-1376]

May 26, 2009 14:00 GMT
PROBLEM: Pidgin is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
PLATFORM: Pidgin 2.5.5 and earlier versions.
ABSTRACT: Pidgin is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the software or cause denial-of-service conditions.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-143.shtml
  OTHER LINKS: Security Focus Website
http://www.securityfocus.com/bid/35067/info
Pidgin Website
http://pidgin.im/news/security/
CVE: CVE-2009-1376
CVE-2009-1375
CVE-2009-1374
CVE-2009-1373
IMPACT ASSESSMENT: The risk is low. Successful exploitation of the most serious of these flaws could result in the execution of arbitrary code in the security context of the current user. No exploits are known in the wild at this time. 
[***** Start CVE-2009-1373 Thru CVE-2009-1376 *****]

Discussion:
CVE 1373:
Buffer overflow is possible when initiating file transfer to a malicious buddy over XMPP. The XMPP SOCKS5 bytestream server
was not correctly checking the bounds of a buffer when initiating an outgoing file transfer.

CVE 1374:
Possible remote denial of service when receiving a QQ packet. decrypt_out() always writes 8 bytes past the passed in
buffer, which is always allocated on the stack. We don't believe this can cause anything outside of a crash.

CVE 1375:
Remote denial of service that affects several protocols. A buffer maintained by PurpleCircBuffer may be corrupted if it's
exactly full and then more bytes are added to it, leading to a crash. This structure is used by XMPP and Sametime protocol
plugins

CVE 1376:
Malformed SLP messages can cause a buffer overflow. The previous fix to CVE-2008-2927 was deemed incomplete. The size check
improperly casted an uint64 to size_t which can cause an integer overflow, rendering the check useless.

Solution:
The flaws are fixed in the latest version - 2.5.6.

http://pidgin.im/news/security/):_z()://download/


[***** End CVE-2009-1373 Thru CVE-2009-1376 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788