[arch-security] [ASA-201703-18] libpurple: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Thu Mar 23 19:01:08 UTC 2017


Arch Linux Security Advisory ASA-201703-18
==========================================

Severity: High
Date    : 2017-03-21
CVE-ID  : CVE-2017-2640
Package : libpurple
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-226

Summary
=======

The package libpurple before version 2.12.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 2.12.0-1.

# pacman -Syu "libpurple>=2.12.0-1"

The problem has been fixed upstream in version 2.12.0.

Workaround
==========

None.

Description
===========

An out-of-bounds write has been found in libpurple < 2.12.0 in the
purple_markup_unescape_entity function. This issue can be triggered by
a malicious server sending invalid XML entities separated by
whitespace, eg "ஸ" to the client.

Impact
======

A remote attacker is able to execute arbitrary code on the affected
host if it connects to a malicious server.

References
==========

http://seclists.org/fulldisclosure/2017/Mar/57
https://www.pidgin.im/news/security/?id=109
https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
https://security.archlinux.org/CVE-2017-2640

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170323/40dbf60c/attachment.asc>


More information about the arch-security mailing list