Possible libpurple vulnerability in multiple prpls
Mark Doliner
mark at kingant.net
Sat Aug 15 16:41:20 EDT 2009
On Sat, Aug 15, 2009 at 12:20 PM, Elliott Sales de
Andrade<qulogic at pidgin.im> wrote:
> On Sat, Aug 15, 2009 at 6:59 AM, Josh Bressers <bressers at redhat.com> wrote:
>>
>> ----- "Elliott Sales de Andrade" <qulogic at pidgin.im> wrote:
>>
>> > Hi there,
>> >
>> > I think I have a potentially exploitable crash here, and I'm trying to
>> > determine whether it's going to be requiring a CVE ID. I'm holding off
>> > on applying the fix until this is determined. The exploit requires the
>> > user to accept a file transfer and then crashes because of passing
>> > NULL to g_filename_to_utf8.
>> >
>>
>> Without looking at code, this sounds like a crash only bug. What does
>> g_filename_to_utf8 do with the NULL that suggests arbitrary code
>> execution?
>
> I looked deeper into GLib code to see, and it appears to be just a NULL
> dereference. See http://git.gnome.org/cgit/glib/tree/glib/gutf8.c#n1574
> where 'p' is deref'd on line 1584. Backtrace is the following for anyone
> interested:
> #4 IA__g_utf8_validate (str=0x0, max_len=-1, end=0x0) at gutf8.c:1573
> #5 0x00007fde11807893 in strdup_len (string=0x0, len=-1, bytes_written=0x0,
> bytes_read=0x0, error=0x0) at gconvert.c:1009
> #6 0x00007fde118080ae in IA__g_filename_to_utf8 (opsysstring=0x0, len=-1,
> bytes_read=0x0, bytes_written=0x0, error=0x0) at gconvert.c:1328
>
>> If it's only a crash, getting a CVE id is up to upstream. If you want to
>> call
>> it a security fix, then it gets one, otherwise not. As a user has to
>> accept
>> the file, I'd lean toward no.
>
> I'll leave it to John or Mark, but I'd say no based on your description
> here.
In the past I think we have not gotten CVE numbers for things that
require the user to accept a request. So my vote is no. But maybe
you should hold off on committing the change until Tuesday the 18th,
and maybe email us a diff of your fix?
-Mark
More information about the Packagers
mailing list