Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-175: Pidgin OSCAR Protocol Web Message Denial of Service Vulnerability

[CVE-2009-1889]

July 2, 2009 13:00 GMT
PROBLEM: This flaw is caused by an out-of-memory error when parsing ICQ Web Messages as SMS messages.
PLATFORM: Pidgin 2.4.0 through 2.5.7 are vulnerable.
ABSTRACT: The OSCAR, (Open System for Communication in Realtime), protocol implementation in Pidgin before 2.5.8 misinterprets the ICQ Web Message type as the ICQSMS message type.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-175.shtml
  OTHER LINKS: Redhat
https://bugzilla.redhat.com/show_bug.cgi?id=508738
Vupen Security
http://www.vupen.com/english/advisories/2009/1749
SecurityFocus
http://www.securityfocus.com/bid/35530
Pidgin
http://pidgin.im/pipermail/devel/2009-May/008227.html
  CVE: CVE-2009-1889
IMPACT ASSESSMENT: This risk is low. If a remote ICQ user sent a web message to the local Pidgin user using this protocol, it would lead to excessive memory allocation and denial of service. 
[***** Start CVE-2009-1889 *****]
Discussion:
This flaw is caused by an out-of-memory error when parsing ICQ Web Messages as SMS messages. The OSCAR, (Open System for Communication in Realtime), protocol implementation in Pidgin before 2.5.8 misinterprets the ICQ Web Message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory.

Solution:
Upgrade to the latest version of Pidgin (2.5.8 or later):

http://pidgin.im/download

Pidgin Pidgin 2.4

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.4.1

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.4.2

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.4.3

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.4.3

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.5.5

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.5.6

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.5.6

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2



Pidgin Pidgin 2.5.7

    * Pidgin pidgin-2.5.8.tar.bz2
      http://downloads.sourceforge.net/pidgin/pidgin-2.5.8.tar.bz2


[***** End CVE-2009-1889 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788