cve-2010-3711-00

Summary Multiple remotely-triggered denials of service
Date 2010-10-20
CVE Number CVE-2010-3711
Discovered By Daniel Atallah
Fixed In Release 2.7.4

Description

It has been discovered that eight denial of service conditions exist in libpurple all due to insufficient validation of the return value from purple_base64_decode(). Invalid or malformed data received in place of a valid base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP protocol plugins and the NTLM authentication support trigger a crash. These vulnerabilities can be leveraged by a remote user for denial of service.

Mitigation

Check the return value from purple_base64_decode() before trying to use it.

Looking to reach us via XMPP? Check out the new PidginChat service!