Pidgin MSN memory corruption issue
Josh Bressers
bressers at redhat.com
Mon Jan 25 18:11:30 EST 2010
----- "Paul Aurich" <paul at darkrain42.org> wrote:
> At Warren's request (and because Josh Bressers had a question about it
> that I don't feel qualified to answer) here are some details on the
> other MSN issue discussed in Fabian Yamaguchi's talk at 26C3. Please
> note that the details of this vulnerability are not yet public, nor is
> this necessarily the final version of the patch.
>
My question was, I see that slplink allocated but not freed. I've not
looked at all the source though, so it's very likely freed elsewhere.
As my java-fu is crap, I can't get the exploit to build and run
(if someone could build a jar of a working exploit, that would be helpful
for analysis and testing purposes).
My understanding from reading the mail is that we're looking at a use after
free sort of flaw? If that's true, it's possibly exploitable, but will
likely be hard to exploit beyond a crash.
This also leads me to wonder. The default pidgin behavior is to accept
messages from users not on your buddy list. This is probably not ideal from
a security point of view. Perhaps it would make sense to either not allow
this by default or investigate something where before pidgin processes
unknown messages, it prompts the user?
Thanks.
--
JB
More information about the Packagers
mailing list