search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Libpurple buffer overflow vulnerability

Vulnerability Note VU#582244

Original Release Date: 2009-08-21 | Last Revised: 2009-08-21

Overview

The Libpurple instant messenger library contains a vulnerability that may allow an attacker to execute arbitrary code.

Description

Libpurple is an instant messenger (IM) library that is used by various programs to connect to multiple networks. Libpurple contains a buffer overflow vulnerability that can be triggered by sending specially crafted MSNSLP messages to a program that is using an affected version of the library.

For more technical details, see CORE Advisory CORE-2009-0727.

Impact

An attacker may be able to execute arbitrary code or cause an IM program to crash.

Solution

Upgrade
Instant messenger programs may distribute Libpurple and will provide an updated version to their users as a security update. See the systems affected portion of this document for a partial list of affected IM clients. Users who compile Libpurple or IM programs should see the Libpurple site or their operating system vendor for updated software.


Restrict Access

The most likely attack vector for this issue would be via the MSN IM network. Administrators may be able to temporarily mitigate this issue by blocking access to the MSN IM network. This workaround is not likely to be totally effective.

Vendor Information

582244
 

Pidgin Affected

Updated:  August 21, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental 0 CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

Acknowledgements

Information from CORE Advisory CORE-2009-0727 was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-2694
Severity Metric: 10.19
Date Public: 2009-08-18
Date First Published: 2009-08-21
Date Last Updated: 2009-08-21 18:59 UTC
Document Revision: 12

Sponsored by CISA.