Remotely-triggerable crash in libpurple

Mark Doliner mark at kingant.net
Wed Jul 14 04:18:24 EDT 2010 

A security vulnerability has been discovered in libpurple.  It is ONLY
a remote crash (null pointer dereference), not a buffer overflow.  In
the past we have had CVE numbers issued for this.  Josh, Jan or Tomas
from Red Hat, if you guys agree with all of this, do you think one of
you could handle issuing a CVE?  Thanks!

Affected software: All clients based on libpurple 2.7.0 and 2.7.1
(Pidgin 2.7.0, 2.7.1 and Finch 2.7.0, 2.7.1)
Discovered by: Me!
Public: no
Embargo date: How does August 5th sound?  That gives us one week to
finish making string changes, one week for translators to translate,
and one week for us to give you the 2.7.2 tarball and let you prepare
packages in advance.

Super Long Description of the Attached Patch:
This patch attempts to fix four bugs in the oscar protocol plugin that
were introduced with the X-Status code in Pidgin 2.7.0.

Problem #1 (the remotely-triggerable crash):
The crash happens when a buddy sets an xstatus message containing <desc>
but no closing </desc>, or <title> but no closing </title>.  The fix
is to check the result of strstr(closing_tag_name) and do nothing if it
is NULL.

Problem #2:
Fixes potential incorrect parsing of the xstatus string that could result
in an incorrect message being displayed to the libpurple user.  Happens if
an xstatus message contains </desc> before <desc>, or </title> before
<title>.  The fix is to start looking for the closing tag at the end
of the beginning tag rather than at the beginning of the xstatus xml.
Probably not a security problem, but definitely a bug.

Problem #3:
Fixes potential incorrect parsing of the xstatus string that could result
in the title not being shown to the libpurple user.  Happens if the close
title tag appears after the desc tag in the xstatus xml, because we add a
null character at the beginning of the close title tag, so strstr() for
the desc tag would stop searching there.  Probably not a security problem,
but definitely a bug.

Problem #4:
Fixes potential incorrect display of the xstatus string that could result
in an incorrect message being displayed to the libpurple user.  Happens
because we reusing the 'xml' string when preparing the string for the user,
but we copy values from xml to xml.  If those values overlap with themselves
or with each other then an incorrect value could be displayed.  Probably not
a security problem, but definitely a bug.

The patch is against the latest code in our source repository, and I
have not tested applying it to 2.7.0 or 2.7.1.  I suspect it'll apply
with no fuzz, possibly with an offset.  If you run into any problems
please let me know and I can try to help.

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oscar_xstatus_remote_crash_fix_2.diff
Type: text/x-patch
Size: 4715 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100714/ac880dd7/attachment.bin>

More information about the Packagers mailing list