Possible libpurple vulnerability in multiple prpls

Elliott Sales de Andrade qulogic at pidgin.im
Sat Aug 15 15:20:10 EDT 2009


On Sat, Aug 15, 2009 at 6:59 AM, Josh Bressers <bressers at redhat.com> wrote:

>
> ----- "Elliott Sales de Andrade" <qulogic at pidgin.im> wrote:
>
> > Hi there,
> >
> > I think I have a potentially exploitable crash here, and I'm trying to
> > determine whether it's going to be requiring a CVE ID. I'm holding off
> > on applying the fix until this is determined. The exploit requires the
> > user to accept a file transfer and then crashes because of passing
> > NULL to g_filename_to_utf8.
> >
>
> Without looking at code, this sounds like a crash only bug. What does
> g_filename_to_utf8 do with the NULL that suggests arbitrary code execution?
>

I looked deeper into GLib code to see, and it appears to be just a NULL
dereference. See
http://git.gnome.org/cgit/glib/tree/glib/gutf8.c#n1574where 'p' is
deref'd on line 1584. Backtrace is the following for anyone
interested:
#4  IA__g_utf8_validate (str=0x0, max_len=-1, end=0x0) at gutf8.c:1573
#5  0x00007fde11807893 in strdup_len (string=0x0, len=-1, bytes_written=0x0,

    bytes_read=0x0, error=0x0) at gconvert.c:1009
#6  0x00007fde118080ae in IA__g_filename_to_utf8 (opsysstring=0x0, len=-1,
    bytes_read=0x0, bytes_written=0x0, error=0x0) at gconvert.c:1328

If it's only a crash, getting a CVE id is up to upstream. If you want to
> call
> it a security fix, then it gets one, otherwise not. As a user has to accept
> the file, I'd lean toward no.


I'll leave it to John or Mark, but I'd say no based on your description
here.

Thanks.
>
> --
>     JB
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090815/903ef36c/attachment.htm>


More information about the Packagers mailing list