Vulnerability Update [VU#825121]

Luke Schierer lschiere at pidgin.im
Wed Feb 28 18:00:32 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Feb 28, 2007, at 17:37 EST, Daniel Atallah wrote:

> On 2/28/07, Luke Schierer <lschiere at pidgin.im> wrote:
>> - --- Begin report - Not for public distribution ----------
>>
>> There is a function whose prototype is :
>>
>> void gaim_debug(GaimDebugLevel level, const char *category, const
>> char *format, ...);
>>
>> declared in my /usr/include/gaim/debug.h header.
>>
>>   Now, if you look at the source file in  <somepath>/gaim-1.5.0/
>> plugins/perl/common/Gaim.c
>>
>>   you'll find this function missused in 3 places :
>>
>>   line 204: gaim_debug(level, category, string);
>>   line 220:Â gaim_debug(GAIM_DEBUG_MISC, category, string);
>>   line 237:Â gaim_debug(GAIM_DEBUG_INFO, category, string);
>>
>>   In those 3 places, the "string" variable can allow an attacker to
>>   inject its own format string, and therefore,
>>   read or write anywhere in the process's memory, potentially  
>> allowing
>>   arbitrary execution.
>>
>> - --- End Report - Not for public distribution -----------
>
> Has anyone actually verified that this is actually exploitable  
> remotely?
>
> These are just in the Perl bindings - a malicious perl plugin could
> certainly do bad things with them, but the ability of a plugin to do
> bad things is hardly a vulnerability.
>
> -D
>

my reply at the time was:

We received a report of these potential problems yesterday.  We have  
investigated them and found none to be remotely exploitable.  A  
couple of them could be exploited if you load a malicious plugin into  
gaim, but we consider this very low risk because the same care should  
be exercised in choosing plugins as goes into deciding what software  
to run,  a plugin does not need for such weak points to exist to do  
all sorts of potentially malicious things.

That being said, we have checked in fixes to these issues for the  
2.0.0 beta6 release, which should be this month, unfortunately I do  
not have exact timing on this release at this time.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF5gmRUsDanPbyGdkRAqJLAKCw7Cpo6QJXZY6ElD06HIHeW9LOKwCfX6jm
nu2qh097LkNktA72II9gjiQ=
=Yd5Y
-----END PGP SIGNATURE-----

More information about the Cabal mailing list