Arch Linux: ASA-201410-9 High: libpurple Remote DoS And Info Leak

The package libpurple before version 2.10.10-1 is vulnerable to a remote denial of service and remote information leakage.

Arch Linux Security Advisory ASA-201410-9
========================================
Severity: High
Date    : 2014-10-22
CVE-ID  : CVE-2014-3695, CVE-2014-3696, CVE-2014-3698
Package : libpurple
Type    : Remote denial of service, Information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package libpurple before version 2.10.10-1 is vulnerable to a remote
denial of service and remote information leakage.

Resolution
=========
Upgrade to 2.10.10-1.

# pacman -Syu "libpurple>=2.10.10-1"

The problem has been fixed upstream in version 2.10.10.

Workaround
=========
None.

Description
==========
A malicious server and possibly even a malicious remote user could
create a carefully crafted XMPP message that causes libpurple to send an
XMPP message containing arbitrary memory.
A malicious server or man-in-the-middle could trigger a crash in
libpurple by sending an emoticon via MXit with an overly large length value.
A malicious server or man-in-the-middle could trigger a crash in
libpurple by specifying that a large amount of memory should be
allocated in a Novell Groupwise message.

Impact
=====
A remote attacker could access arbitrary memory from any application
using libpurple via a specially crafted XMPP message.
A remote attacker in position of man-in-the-middle, or a malicious
server, could remotely crash any application using libpurple via a MXit
or Novell Groupwise message.

References
=========
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3695
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3696
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3698