Remote crash in ICQ

[Mark Doliner]

On Sun, Jun 28, 2009 at 4:16 PM, Mark Doliner<mark at kingant.net> wrote:
> On Sun, Jun 28, 2009 at 4:48 AM, Josh Bressers<bressers at redhat.com> wrote:
>>
>> ----- "John Bailey" <rekkanoryo at rekkanoryo.org> wrote:
>>
>>> Warren Togami wrote:
>>> > Do we need a CVE number for this?
>>>
>>> I leave this as an excercise for everyone else to determine.
>>>
>>
>> Is this just a crash? My understanding is that we end up with a huge malloc,
>> which fails or causes the OOM to kick in?
>>
>> A crash like this can go both ways. If the default ICQ setting is to let any
>> user message you, it's probably an issue, but if it's only people on your
>> buddy list, not so much.
>
> I believe it is a remotely triggerable crash.  I believe the default
> ICQ setting is to let any user send web messages to you.  I think it
> should probably have a CVE number.

Oh, and I suspect there is probably no chance of remote code
execution.  The data that triggers the crash comes from the ICQ
servers, and I believe is limited to a fairly short length.  It's also
probably filtered quite a bit.

Attached is a patch to fix the bug.  It applies cleanly to 2.5.7,
2.5.6, 2.5.5 and 2.5.4 (with offset).  I didn't test any older
versions.  Only libpurple has changed, so if your Pidgin package links
to libpurple dynamically then you really only need to rebuild
libpurple.  Also, we've just released 2.5.8 which includes this fix
and a few other nice bug fixes.  Source packages are at
http://sourceforge.net/project/showfiles.php?group_id=235&package_id=230234&release_id=693070
and changelog at http://developer.pidgin.im/wiki/ChangeLog

Thanks, and sorry for the inconvenience.

-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple_fix_icq_sms_remote_crash.diff
Type: text/x-patch
Size: 2917 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090628/f4e2d8ed/attachment.bin>