Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-256: Pidgin OSCAR Plugin Invalid Memory Access Denial Of Service Vulnerability

[CVE-2009-3615]

October 22, 2009 13:00 GMT
PROBLEM: Pidgin is prone to a denial-of-service vulnerability because of 'invalid memory access' errors when processing specially crafted messages.
PLATFORM: Pidgin before 2.6.3 and Adium before 1.3.7
ABSTRACT: Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of these issues, attackers may also be able to run arbitrary code, but this has not been confirmed.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-256.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36719/info

  CVE: CVE-2009-3615
IMPACT ASSESSMENT: This risk is medium. A remote attacker could exploit this issue to cause denial-of-service conditions. 
[***** Start CVE-2009-3615 *****]
Discussion:
The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.

Vulnerable Systems:
Pidgin Pidgin 2.6.1
Pidgin Pidgin 2.6
Pidgin Pidgin 2.5.9
Pidgin Pidgin 2.5.8
Pidgin Pidgin 2.5.7
Pidgin Pidgin 2.5.6
Pidgin Pidgin 2.5.6
Pidgin Pidgin 2.5.5
Pidgin Pidgin 2.4.3
Pidgin Pidgin 2.4.3
Pidgin Pidgin 2.4.2
Pidgin Pidgin 2.4.1
Pidgin Pidgin 2.4
Pidgin Pidgin 2.2.2
Pidgin Pidgin 2.2.1
Pidgin Pidgin 2.2
Pidgin Pidgin 2.1
Pidgin Pidgin 2.0.2
Pidgin Pidgin 2.0
Adium Adium 1.3.6
Adium Adium 1.3.5
Adium Adium 1.3.4
Adium Adium 1.3.3
Adium Adium 1.3

Solution:
Updates are available. Please see below for details.

Slackware Linux -current
    * Slackware pidgin-2.6.3-x86_64-1.txz
      ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ xap/pidgin-2.6.3-x86_64-1.txz

Slackware Linux 12.0
    * Slackware pidgin-2.6.3-i486-1_slack12.0.tgz
      ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ pidgin-2.6.3-i486-1_slack12.0.tgz

Slackware Linux -current
    * Slackware pidgin-2.6.3-i486-1.txz
      ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/ pidgin-2.6.3-i486-1.txz

Slackware Linux 12.2
    * Slackware pidgin-2.6.3-i486-1_slack12.2.tgz
      ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ pidgin-2.6.3-i486-1_slack12.2.tgz

Slackware Linux 13.0 x86_64
    * Slackware pidgin-2.6.3-x86_64-1_slack13.0.txz
      ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/package s/pidgin-2.6.3-x86_64-1_slack13.0.txz

Slackware Linux 12.1
    * Slackware pidgin-2.6.3-i486-1_slack12.1.tgz
      ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ pidgin-2.6.3-i486-1_slack12.1.tgz

Slackware Linux 13.0
    * Slackware pidgin-2.6.3-i486-1_slack13.0.txz
      ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ pidgin-2.6.3-i486-1_slack13.0.txz

Pidgin Pidgin 2.0
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.0.2
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.1
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.2
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.2.1
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.2.2
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.4
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.4.1
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.4.2
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.4.3
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.4.3
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.5
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.6
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.6
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.7
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.8
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.5.9
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.6
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

Pidgin Pidgin 2.6.1
    * Pidgin pidgin-2.6.3.tar.bz2
      http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.b z2

[***** End CVE-2009-3615 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788