Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 8 Jul 2008 08:39:54 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request (pidgin)

* [2008-07-05 13:56:00 +0200] Nico Golde wrote:

>Hi Vincent,
>* Vincent Danen <vdanen@...sec.ca> [2008-07-03 21:42]:
>> * [2008-07-01 17:25:40 -0400] Steven M. Christey wrote:
>> >Name: CVE-2008-2957
>> >Status: Candidate
>> >URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
>> >Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1
>> >Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin)
>> >Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3
>> >
>> >The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
>> >allows remote attackers to trigger the download of arbitrary files and
>> >cause a denial of service (memory or disk consumption) via a UDP
>> >packet that specifies an arbitrary URL.
>> 
>> There are patches with the original advisory for these two.  Has anyone
>> had a chance to look at them to make sure they're ok?  I don't see any
>> references to any of these issues on the pidgin website and no vendors
>> have issued pidgin updates for these that I can see, so I'm wondering if
>> anyone has looked at these patches (be it vendors or upstream) to
>> determine whether or not they're sufficient and/or suitable to apply to
>> a security update.
>
>I just had a look at http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-upnp-limit-download.diff 
>to fix CVE-2008-2957. I think the patch itself is fine 
>however I am not sure if this is the right way to fix the 
>issue cause I basically just workarounds the problem by 
>limiting the downloads triggered by UPnP (128k) without 
>giving any way to reconfigure this value or to switch it off 
>completely. This may be the reason why there isn't yet an 
>official patch by the pidgin people.
>
>If you want to go with that simple workaround the patch is 
>just fine.

Thanks for looking at it, Nico.  I think the consensus of the Pidgin
developers is that neither issue is very serious, which I think is
another reason why it hasn't been fixed upstream yet.  I think that I'm
going to do is just wait for them to fix it upstream before fixing
anything (if they determine it isn't really a vulnerability, then I'd
rather not waste my time fixing something that isn't really an issue).

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ