[arch-security] [ASA-201606-24] libpurple: multiple issues

Remi Gacogne rgacogne at archlinux.org
Sat Jun 25 17:50:07 UTC 2016


Arch Linux Security Advisory ASA-201606-24
==========================================

Severity: Critical
Date    : 2016-06-25
CVE-ID  : CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368
          CVE-2016-2369 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372
          CVE-2016-2373 CVE-2016-2374 CVE-2016-2375 CVE-2016-2376
          CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 CVE-2016-4323
Package : libpurple
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package libpurple before version 2.11.0-1 is vulnerable to multiple
issues including information leakage, denial of service, directory
traversal and arbitrary code execution.

Resolution
==========

Upgrade to 2.11.0-1.

# pacman -Syu "libpurple>=2.11.0-1"

The problems have been fixed upstream in version 2.11.0.

Workaround
==========

All flaws have been found in the support for the MXit protocol.
Therefore libpurple is only vulnerable when this protocol is used, so
disabling MXit accounts until the package can be upgraded should be enough.

Description
===========

- CVE-2016-2365 (denial of service)

Specially crafted MXIT data sent via the server could potentially result
in a null pointer dereference.

- CVE-2016-2366 (denial of service)

Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read.

- CVE-2016-2367 (information leakage, denial of service)

Specially crafted MXIT data sent via the server could potentially result
in an out of bounds read. This issue can also potentially leak sensitive
information from memory into the data after the avatar which can then be
transferred when the avatar is copied.

- CVE-2016-2368 (arbitrary code execution)

Specially crafted MXIT data sent via the server could potentially result
in a buffer overflow. The MXIT plugin for Pidgin uses the function
g_snprintf() in about 27 places where it receives the return value of
the function. When g_snprintf() returns, it will return the number of
bytes that would have been written had the buffer been large enough, not
the amount of bytes that have actually been written. The MXIT plugin
uses the return value of g_snprintf() as an index or an offset into the
string that is being manipulated in multiple locations without making
sure that the return value is within bounds.

- CVE-2016-2369 (denial of service)

Specially crafted MXIT data sent via the server could potentially result
in a NULL pointer dereference.

- CVE-2016-2370 (denial of service)

Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read.

- CVE-2016-2371 (arbitrary code execution)

Specially crafted MXIT data sent via the server could potentially result
in a buffer overflow. The function mxit_parse_cmd_extprofile() is called
when extended profile packets are received from the server. A malicious
server, an attacker who intercepts the network traffic or a potentially
malicious user (if the data is not validated by the server) can send an
invalid number of records, which could result in an out-of-bounds write
of data.

- CVE-2016-2372 (information leakage, denial of service)

Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read. This issue can also potentially leak sensitive
information by appending sensitive information from memory to the end of
a received file.

- CVE-2016-2373 (denial of service)

Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read. A malicious server or user can send an invalid
mood to trigger this vulnerability.

- CVE-2016-2374 (arbitrary code execution)

Specially crafted MXIT MultiMX message sent via the server can result in
an out-of-bounds write leading to memory disclosure and code execution.

- CVE-2016-2375 (information leakage)

Specially crafted MXIT data sent from the server could potentially
result in an out-of-bounds read. In the function
mxit_parse_cmd_suggestcontacts() in the file mxit/protocol.c at line
2020 the number of attributes will be read from the incoming packet into
the variable count.

- CVE-2016-2376 (arbitrary code execution)

Specially crafted MXIT data sent from the server could potentially
result in a buffer overflow. The function mxit_cb_rx in the file
mxit/protocol.c is a callback function will be called by Pidgin whenever
data is sent from the MXIT server. When data is received, the size of
the incoming packet will also be received at line 2825. There is a check
at line 2826 to ensure that this data isn't larger than the maximum size
of that an MXIT packet can be which is defined as CP_MAX_PACKET. This is
also the size of the buffer that the data is read into. However if the
size is larger than CP_MAX_PACKET, an error will be logged but execution
will simply continue. Moreover, if the size is negative (this is
possible since rx_res is an int) then no error will be logged and
execution will also continue.

- CVE-2016-2377 (arbitrary code execution)

Specially crafted MXIT data sent by the server could potentially result
in an out of bounds write of one byte.

- CVE-2016-2378 (arbitrary code execution)

Specially crafted data sent via the server could potentially result in a
buffer overflow, potentially resulting in memory corruption.

- CVE-2016-2380 (information leakage)

Specially crafted MXIT data sent to the server could potentially result
in an out of bounds read. A user could be convinced to enter a
particular string which would then get converted incorrectly and could
lead to a potential out-of-bounds read.

- CVE-2016-4323 (directory traversal)

Specially crafted MXIT data sent from the server could potentially
result in an overwrite of files. A malicious server or someone with
access to the network traffic can provide an invalid filename for a
splash image triggering the vulnerability.


Impact
======

A remote attacker might be able to access sensitive information, cause a
denial of service or execute arbitrary code on the affected host.

References
==========

http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html
https://access.redhat.com/security/cve/CVE-2016-2365
https://access.redhat.com/security/cve/CVE-2016-2366
https://access.redhat.com/security/cve/CVE-2016-2367
https://access.redhat.com/security/cve/CVE-2016-2368
https://access.redhat.com/security/cve/CVE-2016-2369
https://access.redhat.com/security/cve/CVE-2016-2370
https://access.redhat.com/security/cve/CVE-2016-2371
https://access.redhat.com/security/cve/CVE-2016-2372
https://access.redhat.com/security/cve/CVE-2016-2373
https://access.redhat.com/security/cve/CVE-2016-2374
https://access.redhat.com/security/cve/CVE-2016-2375
https://access.redhat.com/security/cve/CVE-2016-2376
https://access.redhat.com/security/cve/CVE-2016-2377
https://access.redhat.com/security/cve/CVE-2016-2378
https://access.redhat.com/security/cve/CVE-2016-2380
https://access.redhat.com/security/cve/CVE-2016-4323

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160625/babc3b03/attachment-0001.asc>


More information about the arch-security mailing list