Libpurple flaw: How does it affect connected IM clients?

The libpurple library contains a code execution vulnerability that affects the IM clients that were developed using it. Expert Michael Cobb explains how the flaw works.

A code execution vulnerability was found in libpurple, the library used in IM clients such as Pidgin and Adium. Other IM networks, like AIM, Google Talk and Yahoo Messenger, can be connected to these clients. What is the flaw, and what can users of these IM clients do about it?

Libpurple is an open source library, developed by free chat software maker Pidgin, that provides the core functionality needed to develop an IM program. It enables developers to concentrate on developing the user interface, leaving libpurple to handle such tasks as managing accounts, preferences and network-level connectivity to access IM networks like AIM, Google Talk, Jabber and Yahoo Messenger.

Libpurple is used in various IM clients, including Pidgin and messaging software maker Adium's IM app. Adium became popular with Apple users after it was included in a Privacy Pack recommended by the Electronic Frontier Foundation in the months following the Edward Snowden leaks.

Security researcher Erythronium found an out-of-bounds write flaw in libpurple that occurs when invalid XML entities containing white spaces are sent by an attacker. This can be exploited to run arbitrary code remotely or to cause a denial-of-service condition. Although the attack string has to be sent from a malicious server, it is still a serious vulnerability.

Pidgin has patched this problem in version 2.12.0, listed as CVE-2017-2640, by only decoding HTML entities that are well formed.

However, no Adium advisory or patches have been released. Erythronium has been very critical of Adium's lack of response and its security processes, saying its build process documentation doesn't seem to include steps for upgrading or rebuilding libpurple, and the copy of libpurple checked into Adium's open source repository is a "binary blob of unknown provenance." Users of Adium should consider using an alternative IM client until Adium issues a patch and explains its policies and procedures for handling vulnerabilities in both its own codebase and in any of its dependencies.

Also of concern is the robustness of the security practices behind the development of the libpurple library. While work has been done to improve libpurple's codebase, many still feel cryptographic features are layered on top, and not built in as part of libpurple's design. Security as a plug-in rarely works, and as libpurple is written in C, it's subject to attack via the memory space that all apps share.

When choosing any software program that will be used to encrypt and protect data and communications, it's essential to assess the company or team behind a particular app to understand how mature its development processes are and the steps it takes to embed and maintain secure code, particularly when it comes to using third-party libraries.

One alterative available for both Android and iOS is Open Whisper Systems' Signal Private Messenger.

Next Steps

Learn about the effect team messaging apps may have on other forms of communication

Find out how to integrate and support business messaging services

Discover why the PHPMailer library flaw had to be repatched

This was last published in August 2017

Dig Deeper on Threats and vulnerabilities