ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Stu Tomlinson stu at nosnilmot.com
Tue Jul 1 22:42:08 EDT 2008

Pidgin 2.4.3 will be out very soon, and I think we should be clear on
exactly what this contains.

The primary reason for this release is that login to ICQ stopped working
completely for reasons entirely unrelated to the issues being discussed

This is unfortunate timing, and I'm sorry we didn't fix all known issues
for this release.

On Thu, 2008-06-26 at 19:51 -0400, Josh Bressers wrote:
> OK, I took a look at things, and the way I see it we have at least three
> things (three CVE ids).
> * XML memory leak

This is not fixed in Pidgin 2.4.3, and has not (to my knowledge) been
verified by a pidgin developer to be a genuine flaw.

> * UPnP arbitrary file download (maybe not a flaw)

This is not fixed in Pidgin 2.4.3, and in my opinion is not a
vulnerability as such, as we use g_try_malloc already to avoid
application aborts when the allocation fails. This can, however,
potentially cause pidgin to allocate unnecessary additional memory in
the presence of an antisocial uPnP device.

> * msn integer overflow

This is fixed in Pidgin 2.4.3.

> I'm also wondering about these ones:
> 7a490c356e10f7fff3432f875897aa0ca0ad1ff0 yahoo double free
> d99b567b2df0833b855496e7466e6c4c2d9d2329 Don't crash if the given
>     jabber id is invalid.  For example, bond/_007 at gmail.com
> Should those be considered security flaws, or are those silly user tricks?

These are fixed in Pidgin 2.4.3, but unfortunately I do not know the
details to asses whether they are considered security flaws or not.

There is also this additional MSN issue:
and as I mentioned earlier, this has not been fixed in Pidgin 2.4.3 (and
is not accurately described in that report).



More information about the Packagers mailing list