[Advisories] Libpurple security vulnerability CORE-2009-0727

[Elliott Sales de Andrade]

Well, I have two questions about this.

1. You have attached two copies of 'pidgin-1.txt'. Is there supposed to be a
'pidgin-2.txt'?
2. Paul and I looked into the code and we're not sure how this can be
triggered.
They outlined a two-step process. For the second step, they say buffer is
NULL, thus allowing a memcpy to an arbitrary location.
However, I don't see how this could happen. The buffer should either have
been allocated in the first step, or if that fails, the original message
would be destroyed. And without that, the second part could not occur. So,
how are they getting buffer to be NULL?

On Thu, Jul 30, 2009 at 5:55 PM, Luke Schierer <lschiere at pidgin.im> wrote:

> The following was sent to me privately (and encrypted) following a public
> request for contact information on the devel and support mailing lists.
>
> Luke
>
> Begin forwarded message:
>
>
>  From: "Core Security Advisories Team (jo)" <
>> advisories-publication at coresecurity.com>
>> Date: July 30, 2009 13:17:06 EDT
>> To: Luke Schierer <lschiere at pidgin.im>
>> Cc: CORE Security Technologies Advisories-publication <
>> advisories-publication at coresecurity.com>, Federico Muttis <
>> acid at corest.com>
>> Subject: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727
>>
>>
>> Hi,
>>
>> I am attaching a preliminary version of the advisory, written by
>> Federico Muttis, encrypted with Luke's key. Don't hesitate to write back
>> if you have any doubts or comments.  We are planning to release the
>> advisory on August 18th, 2009.
>>
>> Regards,
>> Jose.
>>
>> --
>> José I. Orlicki
>> Advisories Team
>> Core Security Technologies
>>
>> http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090731/088e2971/attachment.htm>