Remote crashes being fixed in Pidgin 2.6.6

Mark Doliner mark at kingant.net
Fri Feb 12 00:02:13 EST 2010


* We're working on 3 separate issues
* I wouldn't consider any of them public knowledge yet
* We have preliminary patches to fix all of them
* We'll try to provide a 2.6.6 tarball to you as early as possible.
Most likely a few hours after GMT 07:00:00am Feb 16
* Let's assume an embargo date of GMT 08:00:00am Feb 18 for all of them
* We'll release Pidgin 2.6.6 shortly after the embargo date.  It will
include the fixes
* We'll not commit fixes for these specific issues until shortly after
the embargo date

1. CVE-2010-0277 - "MSN SLP Remote Crash"

This is the crash discovered by Fabian Yamaguchi and mentioned at
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html, but I
don't feel that there are enough published details about this for it
to be considered public.  I do not know if there is potential for
remote code execution.

We sent a diff out a few days ago (attached again here for
convenience).  It is made against trunk.  I have not tested how well
it applies against previous versions, but I'll try to do that in the
upcoming days if no one beats me to it.

2. CVE-2010-0420 - "Finch XMPP MUC Crash"

Discovered by Sadrul Habib Chowdhury a day or three ago.  In an XMPP
MUC, if someone changes the nick to '<br>' (using '/nick <br>' for
example), then libpurple ends up having two users with username '\n'
in the room, and finch crashes in this situation.  We do not believe
there is a possibility of remote code execution.

I believe this commit fixes the problem (although we also intend to
add an extra safety check to Finch):
http://developer.pidgin.im/viewmtn/revision/info/0085c32abf29d034d30feef1ffb1d483e316a9a8

3. "Smiley Denial of Service"

Pidgin becomes unresponsive and consumes lots of CPU when receiving an
IM containing many smileys.  This is a remote denial of service
attack, but is not exploitable in any other way.  It was reported to
us by Andrea Barisani of ocert.  As far as I know there is no CVE#.

I've attached a preliminary diff which fixes the problem for me by
limiting the number of smileys in an IM window.  We may want to adjust
the limit on the number of smileys, and we're going to try to add a
limit on smileys per individual IM.  I'll send a revised diff if we
create one.


Pidgin devs: Please correct me if you notice any mistakes.
Packagers: Please let us know if you have questions or suggestions.

Thanks,
-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-CVE-2010-0277_take2.diff
Type: text/x-patch
Size: 3029 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100211/add07d7c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin_limit_number_of_smileys.diff
Type: text/x-patch
Size: 2738 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100211/add07d7c/attachment-0001.bin>


More information about the Packagers mailing list