A handful of security vulnerabilities were patched in the most recent release of the Pidgin open source instant messaging client, Pidgin 2.10.10, including a SSL/TLS certificate validation issue that could be exploited in man-in-the-middle attacks.
Reported by Jacob Appelbaum of the Tor Project, the vulnerability was found in the Pidgin NSS and GnuTLS plugins. According to CVE-2014-3694, the Open SSL SSL/TLS plugin in libpurple that is bundled in with Pidgin does not properly consider the Basic Constraints extension as it is verifying certificates from SSL servers. An attacker with a phony certificate could spoof a legitimate cert to steal data.
Libpurple is the core library used by Pidgin; the library supports several instant messaging protocols including Adium for Mac OS X, Meebo, BitlBee and others.
“This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint,” Pidgin said in its advisory.
Another vulnerability (CVE-2014-3698) fixed in the latest Pidgin release was an information leaking flaw that could allow an attacker to remotely steal data moving through the client by sending a malicious XMPP message. That would trigger a vulnerability in the Jabber protocol plugin in libpurple.
Meanwhile, Cisco Talos intelligence team researchers Yves Younan disclosed three other vulnerabilities patched in this release reported by the networking giant.
One of the vulnerabilities was found only on the Windows version of the Pidgin client and had to do with how the client handled smiley and theme packages, which are downloaded as Tape Archive (TAR) files from Websites and loaded into the client.
On Linux, an un-tar utility keeps the files in a specified directory; this utility does not exist in Windows, therefore it comes with code that performs the operation, Younan said.
“This code, unlike tar, does allow the specification of an absolute path in the tar file, resulting in the ability to write or overwrite any file allowed by the file system permissions for that user,” Younan said.
Another vulnerability reported and disclosed by Cisco was found in how libpurple handles Novell Groupwise collaboration software.
“An attacker who can control the contents of a Novell protocol message can cause an out of memory exception by specifying an overly large size value for a memory allocation operation,” Younan said, adding that by doing so, an attacker can cause the client to crash.
The final bug reported by Cisco was found in how Mxit Emoticons are handled; an attacker spoofing messages from the mxit domain would be able to exploit the vulnerability.
“An attacker who can control the contents of an Emoticon downloaded through the Mxit protocol can cause an out of bounds read by specifying an overly large ASN length value,” Younan said. “Since this data is not returned to the attacker, the impact is limited to a denial of service.”