Possible libpurple vulnerability in multiple prpls

Mark Doliner mark at kingant.net
Sat Aug 15 16:41:20 EDT 2009

On Sat, Aug 15, 2009 at 12:20 PM, Elliott Sales de
Andrade<qulogic at pidgin.im> wrote:
> On Sat, Aug 15, 2009 at 6:59 AM, Josh Bressers <bressers at redhat.com> wrote:
>> ----- "Elliott Sales de Andrade" <qulogic at pidgin.im> wrote:
>> > Hi there,
>> >
>> > I think I have a potentially exploitable crash here, and I'm trying to
>> > determine whether it's going to be requiring a CVE ID. I'm holding off
>> > on applying the fix until this is determined. The exploit requires the
>> > user to accept a file transfer and then crashes because of passing
>> > NULL to g_filename_to_utf8.
>> >
>> Without looking at code, this sounds like a crash only bug. What does
>> g_filename_to_utf8 do with the NULL that suggests arbitrary code
>> execution?
> I looked deeper into GLib code to see, and it appears to be just a NULL
> dereference. See http://git.gnome.org/cgit/glib/tree/glib/gutf8.c#n1574
> where 'p' is deref'd on line 1584. Backtrace is the following for anyone
> interested:
> #4  IA__g_utf8_validate (str=0x0, max_len=-1, end=0x0) at gutf8.c:1573
> #5  0x00007fde11807893 in strdup_len (string=0x0, len=-1, bytes_written=0x0,
>     bytes_read=0x0, error=0x0) at gconvert.c:1009
> #6  0x00007fde118080ae in IA__g_filename_to_utf8 (opsysstring=0x0, len=-1,
>     bytes_read=0x0, bytes_written=0x0, error=0x0) at gconvert.c:1328
>> If it's only a crash, getting a CVE id is up to upstream. If you want to
>> call
>> it a security fix, then it gets one, otherwise not. As a user has to
>> accept
>> the file, I'd lean toward no.
> I'll leave it to John or Mark, but I'd say no based on your description
> here.

In the past I think we have not gotten CVE numbers for things that
require the user to accept a request.  So my vote is no.  But maybe
you should hold off on committing the change until Tuesday the 18th,
and maybe email us a diff of your fix?


More information about the Packagers mailing list