[patch] libpurple/protocols/oscar: OOM and die on misparsed ICQWebMessage as ICQSMS

Mark Doliner mark at kingant.net
Sun Jun 28 19:32:31 EDT 2009


On Fri, Jun 12, 2009 at 7:59 AM, Yuriy Kaminskiy<yumkam at mail.ru> wrote:
> Yuriy Kaminskiy wrote:
>> I've got number of OOM/abort, and found that when pidgin receive
>> chan4/0x1a/ICQWebMessage, it misparses that as ICQSMS, and dies on
>> out-of-memory.
>> 01) fixes in byte_stream_getstr: early check len for validity (this will
>> cause error later anyway), and only then allocate memory.
>> 02) fixes in incomingim_chan4/case 0x1a: better checks for expected
>> format and errors (and not choke on some unknown gibberish).
> Ping. If no-one noticed, this is security problem (just DoS, not remote
> access, but nonetheless). At least some equivalent of patches 1 and 2
> MUST be applied.

Hi Yuriy!  You probably know this already after seeing the traffic
from ticket 8483[1], but we accepted all four of your patches a few
days ago, and they're being released now-ish in Pidgin 2.5.8.  Thank
you for finding and fixing this bug!  And sorry it took us so long to
actually do something :-(

Also, if you (or anyone else following along at home) happen to find
or fix any security problems in the future, we generally prefer that
you email a few developers directly instead of mailing this list.  We
try to fix problems before they're publicly announced, and we try to
set an embargo date and provide a patch to Linux distributions so they
can prepare packages ahead of time and release them as soon as the
security problem is announced.

Thanks!
-Mark

[1] http://developer.pidgin.im/ticket/9483




More information about the Devel mailing list