ArchLinux: 201606-24: libpurple: multiple issues
Summary
- CVE-2016-2365 (denial of service)
Specially crafted MXIT data sent via the server could potentially result
in a null pointer dereference.
- CVE-2016-2366 (denial of service)
Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read.
- CVE-2016-2367 (information leakage, denial of service)
Specially crafted MXIT data sent via the server could potentially result
in an out of bounds read. This issue can also potentially leak sensitive
information from memory into the data after the avatar which can then be
transferred when the avatar is copied.
- CVE-2016-2368 (arbitrary code execution)
Specially crafted MXIT data sent via the server could potentially result
in a buffer overflow. The MXIT plugin for Pidgin uses the function
g_snprintf() in about 27 places where it receives the return value of
the function. When g_snprintf() returns, it will return the number of
bytes that would have been written had the buffer been large enough, not
the amount of bytes that have actually been written. The MXIT plugin
uses the return value of g_snprintf() as an index or an offset into the
string that is being manipulated in multiple locations without making
sure that the return value is within bounds.
- CVE-2016-2369 (denial of service)
Specially crafted MXIT data sent via the server could potentially result
in a NULL pointer dereference.
- CVE-2016-2370 (denial of service)
Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read.
- CVE-2016-2371 (arbitrary code execution)
Specially crafted MXIT data sent via the server could potentially result
in a buffer overflow. The function mxit_parse_cmd_extprofile() is called
when extended profile packets are received from the server. A malicious
server, an attacker who intercepts the network traffic or a potentially
malicious user (if the data is not validated by the server) can send an
invalid number of records, which could result in an out-of-bounds write
of data.
- CVE-2016-2372 (information leakage, denial of service)
Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read. This issue can also potentially leak sensitive
information by appending sensitive information from memory to the end of
a received file.
- CVE-2016-2373 (denial of service)
Specially crafted MXIT data sent via the server could potentially result
in an out-of-bounds read. A malicious server or user can send an invalid
mood to trigger this vulnerability.
- CVE-2016-2374 (arbitrary code execution)
Specially crafted MXIT MultiMX message sent via the server can result in
an out-of-bounds write leading to memory disclosure and code execution.
- CVE-2016-2375 (information leakage)
Specially crafted MXIT data sent from the server could potentially
result in an out-of-bounds read. In the function
mxit_parse_cmd_suggestcontacts() in the file mxit/protocol.c at line
2020 the number of attributes will be read from the incoming packet into
the variable count.
- CVE-2016-2376 (arbitrary code execution)
Specially crafted MXIT data sent from the server could potentially
result in a buffer overflow. The function mxit_cb_rx in the file
mxit/protocol.c is a callback function will be called by Pidgin whenever
data is sent from the MXIT server. When data is received, the size of
the incoming packet will also be received at line 2825. There is a check
at line 2826 to ensure that this data isn't larger than the maximum size
of that an MXIT packet can be which is defined as CP_MAX_PACKET. This is
also the size of the buffer that the data is read into. However if the
size is larger than CP_MAX_PACKET, an error will be logged but execution
will simply continue. Moreover, if the size is negative (this is
possible since rx_res is an int) then no error will be logged and
execution will also continue.
- CVE-2016-2377 (arbitrary code execution)
Specially crafted MXIT data sent by the server could potentially result
in an out of bounds write of one byte.
- CVE-2016-2378 (arbitrary code execution)
Specially crafted data sent via the server could potentially result in a
buffer overflow, potentially resulting in memory corruption.
- CVE-2016-2380 (information leakage)
Specially crafted MXIT data sent to the server could potentially result
in an out of bounds read. A user could be convinced to enter a
particular string which would then get converted incorrectly and could
lead to a potential out-of-bounds read.
- CVE-2016-4323 (directory traversal)
Specially crafted MXIT data sent from the server could potentially
result in an overwrite of files. A malicious server or someone with
access to the network traffic can provide an invalid filename for a
splash image triggering the vulnerability.
Resolution
Upgrade to 2.11.0-1.
# pacman -Syu "libpurple>=2.11.0-1"
The problems have been fixed upstream in version 2.11.0.
References
https://blog.talosintelligence.com/vulnerability-spotlight-pidgin/ https://access.redhat.com/security/cve/CVE-2016-2365 https://access.redhat.com/security/cve/CVE-2016-2366 https://access.redhat.com/security/cve/CVE-2016-2367 https://access.redhat.com/security/cve/CVE-2016-2368 https://access.redhat.com/security/cve/CVE-2016-2369 https://access.redhat.com/security/cve/CVE-2016-2370 https://access.redhat.com/security/cve/CVE-2016-2371 https://access.redhat.com/security/cve/CVE-2016-2372 https://access.redhat.com/security/cve/CVE-2016-2373 https://access.redhat.com/security/cve/CVE-2016-2374 https://access.redhat.com/security/cve/CVE-2016-2375 https://access.redhat.com/security/cve/CVE-2016-2376 https://access.redhat.com/security/cve/CVE-2016-2377 https://access.redhat.com/security/cve/CVE-2016-2378 https://access.redhat.com/security/cve/CVE-2016-2380 https://access.redhat.com/security/cve/CVE-2016-4323
Workaround
All flaws have been found in the support for the MXit protocol. Therefore libpurple is only vulnerable when this protocol is used, so disabling MXit accounts until the package can be upgraded should be enough.