Bug 641921 (CVE-2010-3711)

Summary: CVE-2010-3711 Pidgin (libpurple): Multiple DoS (crash) flaws by processing of unsanitized Base64 decoder values
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrb, mbarnes, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-16 20:22:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 644153, 644155, 644157, 644158, 645297, 645410, 645413, 833967    
Bug Blocks:    
Attachments:
Description Flags
Revised patch for 2.6.6 none

Description Jan Lieskovsky 2010-10-11 14:38:07 UTC 
Pidgin did not sanitize output of Base64 decode operation prior its further 
processing. A remote attacker, valid Pidgin user, could use this flaw to cause:

a, NULL pointer dereference (pidgin daemon crash) by transfering of a
   specially-crafted buddy icon via the Yahoo protocol plugin

b, NULL pointer dereference (pidgin deamon crash) by providing a
   specially-crafted IP address value for peer-to-peer connection
   in the Yahoo protocol plugin

c, NULL pointer dereference (pidgin daemon crash) by providing a
   specially-crafted transfer header in the MSN protocol plugin

d, NULL pointer dereference (pidgin daemon crash) by providing a
   specially-crafted login challenge value in the MySpace protocol
   plugin

e, NULL pointer dereference (pidgin daemon crash) by providing a
   specially-crafted Digest-MD5 authentication challenge in the
   XMPP protocol plugin

   Note: This crash can happen only when Cyrus SASL is not available
         or does not provide Digest-MD5 support

f, NULL pointer dereference (pidgin daemon crash) by providing a
   specially-crafted Type 2 message by authentication via the NTLM
   protocol


Acknowledgements: 

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Daniel Atallah as the original reporter.
Comment 5 Jan Lieskovsky 2010-10-11 15:18:34 UTC 
These issues affect the versions of the pidgin package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

--

These issues affect the versions of the pidgin package, as shipped
with Fedora release of 12 and 13.
Comment 7 Jan Lieskovsky 2010-10-11 15:33:01 UTC 
CVE identifier of CVE-2010-3711 has been assigned to these issues.
Comment 20 Huzaifa S. Sidhpurwala 2010-10-21 07:09:29 UTC 
Public via:
[1] http://pidgin.im/news/security/?id=48

Upstream changeset:
[2] http://developer.pidgin.im/viewmtn/revision/info/b01c6a1f7fe4d86b83f5f10917b3cb713989cfcc
Comment 21 Huzaifa S. Sidhpurwala 2010-10-21 09:23:37 UTC 
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 645297]
Comment 23 errata-xmlrpc 2010-10-21 16:52:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0788 https://rhn.redhat.com/errata/RHSA-2010-0788.html
Comment 24 Matthew Barnes 2010-10-21 17:25:17 UTC 
Am I correct that only f12 and f13 need patched, and f14 and f15 will be fixed by rebasing to Pidgin 2.7.4?
Comment 25 errata-xmlrpc 2010-11-16 17:36:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0890 https://rhn.redhat.com/errata/RHSA-2010-0890.html