Pidgin MSN memory corruption issue
bressers at redhat.com
Mon Jan 25 18:11:30 EST 2010
----- "Paul Aurich" <paul at darkrain42.org> wrote:
> At Warren's request (and because Josh Bressers had a question about it
> that I don't feel qualified to answer) here are some details on the
> other MSN issue discussed in Fabian Yamaguchi's talk at 26C3. Please
> note that the details of this vulnerability are not yet public, nor is
> this necessarily the final version of the patch.
My question was, I see that slplink allocated but not freed. I've not
looked at all the source though, so it's very likely freed elsewhere.
As my java-fu is crap, I can't get the exploit to build and run
(if someone could build a jar of a working exploit, that would be helpful
for analysis and testing purposes).
My understanding from reading the mail is that we're looking at a use after
free sort of flaw? If that's true, it's possibly exploitable, but will
likely be hard to exploit beyond a crash.
This also leads me to wonder. The default pidgin behavior is to accept
messages from users not on your buddy list. This is probably not ideal from
a security point of view. Perhaps it would make sense to either not allow
this by default or investigate something where before pidgin processes
unknown messages, it prompts the user?
More information about the Packagers