pidgin.2.7.2: 33f2cf39: *** Plucked rev 7e159eaa14b0041fcc3ee578...
markdoliner at pidgin.im
markdoliner at pidgin.im
Tue Jul 20 23:36:18 EDT 2010
----------------------------------------------------------------------
Revision: 33f2cf39ab5eb0a4a63972bd843f6afa4072eebc
Parent: 2740cbe13bcf23ba66c1c9240d5a45f268299fb3
Author: markdoliner at pidgin.im
Date: 07/20/10 22:58:11
Branch: im.pidgin.pidgin.2.7.2
URL: http://d.pidgin.im/viewmtn/revision/info/33f2cf39ab5eb0a4a63972bd843f6afa4072eebc
Changelog:
*** Plucked rev 7e159eaa14b0041fcc3ee5783cd1e4f2d039a1a1 (markdoliner at pidgin.im):
Fix a crash bug in oscar related to trying to allocate too much memory.
This was reported to our security mailing list by Jan Kaluza The Great.
I honestly couldn't figure out how to repro this crash, so I've been
considering it as not a remote-crash security problem, so I chose to
skip the CVE process for this.
Changes against parent 2740cbe13bcf23ba66c1c9240d5a45f268299fb3
patched ChangeLog
patched libpurple/protocols/oscar/oscar.c
-------------- next part --------------
============================================================
--- ChangeLog 2eb99eac7394cb45e06291990001a24bdc4f562f
+++ ChangeLog 5ade3a3ed7f60ec88ea7b8ef77c725b39508fee9
@@ -1,6 +1,9 @@ version 2.7.2 (07/21/2010):
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
version 2.7.2 (07/21/2010):
+ AIM and ICQ:
+ * Fix a crash bug related to X-Status messages that can be triggered by
+ remove users. This is CVE-2010-2528.
version 2.7.1 (05/29/2010):
General:
============================================================
--- libpurple/protocols/oscar/oscar.c b448ff8a14ab7db9b3ad6ce2c8f17cac8159f702
+++ libpurple/protocols/oscar/oscar.c cee224a3a79d8c949316f387a000186a7e4d6a93
@@ -3028,12 +3028,23 @@ incomingim_chan4(OscarData *od, FlapConn
if (smstype != 0)
break;
taglen = byte_stream_getle32(&qbs);
+ if (taglen > 2000) {
+ /* Avoid trying to allocate large amounts of memory, in
+ case we get something unexpected. */
+ break;
+ }
tagstr = byte_stream_getstr(&qbs, taglen);
if (tagstr == NULL)
break;
byte_stream_advance(&qbs, 3);
byte_stream_advance(&qbs, 4);
smslen = byte_stream_getle32(&qbs);
+ if (smslen > 2000) {
+ /* Avoid trying to allocate large amounts of memory, in
+ case we get something unexpected. */
+ g_free(tagstr);
+ break;
+ }
smsmsg = byte_stream_getstr(&qbs, smslen);
/* Check if this is an SMS being sent from server */
More information about the Commits
mailing list