Possible libpurple vulnerability in multiple prpls

Warren Togami wtogami at redhat.com
Sat Aug 15 17:30:36 EDT 2009 

On 08/15/2009 04:41 PM, Mark Doliner wrote:
> On Sat, Aug 15, 2009 at 12:20 PM, Elliott Sales de
> Andrade<qulogic at pidgin.im>  wrote:
>> On Sat, Aug 15, 2009 at 6:59 AM, Josh Bressers<bressers at redhat.com>  wrote:
>>>
>>> ----- "Elliott Sales de Andrade"<qulogic at pidgin.im>  wrote:
>>>
>>>> Hi there,
>>>>
>>>> I think I have a potentially exploitable crash here, and I'm trying to
>>>> determine whether it's going to be requiring a CVE ID. I'm holding off
>>>> on applying the fix until this is determined. The exploit requires the
>>>> user to accept a file transfer and then crashes because of passing
>>>> NULL to g_filename_to_utf8.
>>>>
>>>
>>> Without looking at code, this sounds like a crash only bug. What does
>>> g_filename_to_utf8 do with the NULL that suggests arbitrary code
>>> execution?
>>
>> I looked deeper into GLib code to see, and it appears to be just a NULL
>> dereference. See http://git.gnome.org/cgit/glib/tree/glib/gutf8.c#n1574
>> where 'p' is deref'd on line 1584. Backtrace is the following for anyone
>> interested:
>> #4  IA__g_utf8_validate (str=0x0, max_len=-1, end=0x0) at gutf8.c:1573
>> #5  0x00007fde11807893 in strdup_len (string=0x0, len=-1, bytes_written=0x0,
>>      bytes_read=0x0, error=0x0) at gconvert.c:1009
>> #6  0x00007fde118080ae in IA__g_filename_to_utf8 (opsysstring=0x0, len=-1,
>>      bytes_read=0x0, bytes_written=0x0, error=0x0) at gconvert.c:1328
>>
>>> If it's only a crash, getting a CVE id is up to upstream. If you want to
>>> call
>>> it a security fix, then it gets one, otherwise not. As a user has to
>>> accept
>>> the file, I'd lean toward no.
>>
>> I'll leave it to John or Mark, but I'd say no based on your description
>> here.
>
> In the past I think we have not gotten CVE numbers for things that
> require the user to accept a request.  So my vote is no.  But maybe
> you should hold off on committing the change until Tuesday the 18th,
> and maybe email us a diff of your fix?
>

Is this important enough to add to 2.5.9?  (It seems not, but asking 
before I build from the tarball.)

Warren

More information about the Packagers mailing list