Pidgin: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0013
          Multiple vulnerabilities have been identified in Pidgin
                              3 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Pidgin
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-0020 CVE-2013-6490 CVE-2013-6489
                      CVE-2013-6487 CVE-2013-6486 CVE-2013-6485
                      CVE-2013-6484 CVE-2013-6483 CVE-2013-6482
                      CVE-2013-6481 CVE-2013-6479 CVE-2013-6478
                      CVE-2013-6477 CVE-2012-6152 CVE-2011-3185
Member content until: Wednesday, March  5 2014

OVERVIEW

        A number of vulnerabilities have been identified in Pidgin prior to
        version 2.10.8.


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "CVE-2012-6152: Many places in the Yahoo! protocol plugin assumed 
        incoming strings were UTF-8 and failed to transcode from non-UTF-8 
        encodings. This can lead to a crash when receiving strings that 
        aren't UTF-8." [1]
        
        "CVE-2013-6477: A remote XMPP user can trigger a crash on some 
        systems by sending a message with a timestamp in the distant 
        future." [2]
        
        "CVE-2013-6478: libX11 forcefully exits when Pidgin tries to create
        an exceptionally wide tooltip window." [3]
        
        "CVE-2013-6479: A malicious server or man-in-the-middle could send a
        malformed HTTP response that could lead to a crash." [4]
        
        "CVE-2013-6481: The Yahoo! protocol plugin failed to validate a 
        length field before trying to read from a buffer, which could result
        in reading past the end of the buffer which could cause a crash." 
        [5]
        
        "CVE-2013-6482: A malformed Content-Length header could lead to a 
        NULL pointer dereference." [6 - 8]
        
        "CVE-2013-6483: The XMPP protocol plugin failed to ensure that iq 
        replies came from the person they were sent to. A remote user could
        send a spoofed iq reply and attempt to guess the iq id. This could 
        allow an attacker to inject fake data or trigger a null pointer 
        dereference." [9]
        
        "CVE-2013-6484: Incorrect error handling when reading the response 
        from a STUN server could lead to a crash." [10]
        
        "CVE-2013-6485: A malicious server or man-in-the-middle could cause
        a buffer overflow by sending a malformed HTTP response with chunked
        Transfer-Encoding with invalid chunk sizes." [11]
        
        "CVE-2013-6486: If a user clicks on a file:// URI in a received IM 
        in Windows builds of Pidgin, Pidgin attempts to execute the file. 
        This can be dangerous if the file:// URI is a path on a network 
        share. This was originally reported in CVE-2011-3185 in 2011 and we
        attempted to fix it then, but failed." [12]
        
        "CVE-2013-6487: A malicious server or man-in-the-middle could send a
        large value for Content-Length and cause an integer overflow which 
        could lead to a buffer overflow." [13]
        
        "CVE-2013-6489: A specially crafted emoticon value could cause an 
        integer overflow which could lead to a buffer overflow." [14]
        
        "CVE-2013-6490: A Content-Length of -1 could lead to a buffer 
        overflow." [15]
        
        "CVE-2014-0020: A malicious server or man-in-the-middle could 
        trigger a crash in libpurple by sending a message with fewer than 
        expected arguments." [16]


MITIGATION

        The vendor recommends updating to the latest version of Pidgin to
        correct these issues. [1 - 16]


REFERENCES

        [1] Yahoo! remote crash from incorrect character encoding
            http://www.pidgin.im/news/security/?id=70

        [2] Crash handling bad XMPP timestamp
            http://www.pidgin.im/news/security/?id=71

        [3] Crash when hovering pointer over a long URL
            http://www.pidgin.im/news/security/?id=72

        [4] Remote crash parsing HTTP responses
            http://www.pidgin.im/news/security/?id=73

        [5] Remote crash reading Yahoo! P2P message
            http://www.pidgin.im/news/security/?id=74

        [6] NULL pointer dereference parsing headers in MSN
            http://www.pidgin.im/news/security/?id=75

        [7] NULL pointer dereference parsing OIM data in MSN
            http://www.pidgin.im/news/security/?id=76

        [8] CVE-2013-6482
            http://www.pidgin.im/news/security/?id=77

        [9] XMPP doesn't verify 'from' on some iq replies
            http://www.pidgin.im/news/security/?id=78

        [10] Crash reading response from STUN server
             http://www.pidgin.im/news/security/?id=79

        [11] Buffer overflow parsing chunked HTTP responses
             http://www.pidgin.im/news/security/?id=80

        [12] Pidgin uses clickable links to untrusted executables
             http://www.pidgin.im/news/security/?id=81

        [13] Buffer overflow in Gadu-Gadu HTTP parsing
             http://www.pidgin.im/news/security/?id=82

        [14] Buffer overflow in MXit emoticon parsing
             http://www.pidgin.im/news/security/?id=83

        [15] Buffer overflow in SIMPLE header parsing
             http://www.pidgin.im/news/security/?id=84

        [16] Remotely triggerable crash in IRC argument parsing
             http://www.pidgin.im/news/security/?id=85

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUu8l4BLndAQH1ShLAQJq3w//TITQk1BKWGAOsndn4lazzWdTsZ7WU6Wp
TAxNybG6JZsKoccL9EucNBNG1EJfcm3UagRQ4Bwu7x0x1SwIWL+A684JmyK34/kZ
SAyj1urLFIXs/ItvJ2t8juvcmEVUVlG9vNZhbAYLZh9LWuuaoqSzDvtgHkvbbyln
KCxeAfvUuk+1q/jiUusmmaFvcTfkvhBKMxjT+nC5xVtJXqPL9JdgzhLzH3SyErTq
X5XbTIQgsgELoB1iX6r5MFq7CTSG3NfgMW7t6pPPgnsFGm53pvq0wivSl5jxWpaj
KG6dBUFaqHxFXwy9o6vcfKPlgNjp6juFTEY7W31nxz3exEFep6a1Wh1FDfLoWbwA
g1S8F1220qCn8QbGozlZtT6cbjEIs4jbAtMQ7QKkpEIfo9T8R4bDY0PngAPSypIF
y3/DajQsTJbvmt4vMQZ+rAmYYxhLrFTcd6czGgM7Ouna60oUIIuB6i2UU1HB/YiI
kbQY1+3oNeuQD8H+WnuXRh8rJriaSEhwSAmJmcWZbsDhUJKImJYXI2qZCD2SdOAs
JvJP5sGwuINlmlzbptrrjWcJRFzyRQliicgDW7lwNYbRwf9Grav1p88Xku0R3ldp
S2TreaMpBPls+bwCF8OCI/t5dB8Ymck6sJv+/UzHVUiqJoSTl/L3Lnr/YvFRg+tF
veuaockzttE=
=kmFc
-----END PGP SIGNATURE-----