Overview
The Libpurple instant messenger library contains a vulnerability that may allow an attacker to execute arbitrary code.
Description
Libpurple is an instant messenger (IM) library that is used by various programs to connect to multiple networks. Libpurple contains a buffer overflow vulnerability that can be triggered by sending specially crafted MSNSLP messages to a program that is using an affected version of the library. For more technical details, see CORE Advisory CORE-2009-0727. |
Impact
An attacker may be able to execute arbitrary code or cause an IM program to crash. |
Solution
Upgrade |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
| Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
- http://pidgin.im/news/security/?id=34
- http://developer.pidgin.im/wiki/WhatIsLibpurple
- http://www.coresecurity.com/content/libpurple-arbitrary-write#lref.4
- http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
- http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_500_Series_Firewall_with_software_version_6.x_in_order_to_block_the_MSN_messenger_with_the_access-list_command
Acknowledgements
Information from CORE Advisory CORE-2009-0727 was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2009-2694 |
| Severity Metric: | 10.19 |
| Date Public: | 2009-08-18 |
| Date First Published: | 2009-08-21 |
| Date Last Updated: | 2009-08-21 18:59 UTC |
| Document Revision: | 12 |