Pidgin MSN memory corruption issue

[Josh Bressers]

----- "Paul Aurich" <paul at darkrain42.org> wrote:

> At Warren's request (and because Josh Bressers had a question about it
> that I don't feel qualified to answer) here are some details on the
> other MSN issue discussed in Fabian Yamaguchi's talk at 26C3. Please
> note that the details of this vulnerability are not yet public, nor is
> this necessarily the final version of the patch.
> 

My question was, I see that slplink allocated but not freed. I've not
looked at all the source though, so it's very likely freed elsewhere.

As my java-fu is crap, I can't get the exploit to build and run
(if someone could build a jar of a working exploit, that would be helpful
for analysis and testing purposes).

My understanding from reading the mail is that we're looking at a use after
free sort of flaw? If that's true, it's possibly exploitable, but will
likely be hard to exploit beyond a crash.

This also leads me to wonder. The default pidgin behavior is to accept
messages from users not on your buddy list. This is probably not ideal from
a security point of view. Perhaps it would make sense to either not allow
this by default or investigate something where before pidgin processes
unknown messages, it prompts the user?

Thanks.

-- 
    JB