MSN emoticon DoS

Jan Lieskovsky jlieskov at redhat.com
Fri May 7 08:31:00 EDT 2010 

Hi John,

   thanks for the heads-up.

John Bailey wrote:
> Hello, packagers,
> 
> I apologize for not notifying you of this issue sooner; I had forgotten about
> it, as we've been working on Pidgin 2.7.0 for so long.
> 
> A security vulnerability has been discovered in the MSN plugin for libpurple.
> 
> Affected software: libpurple 2.6.5 and 2.6.6; earlier versions may be affected.
> 
> Description:  We have been informed of a denial of service (crash) related to
> custom emoticons on the MSN protocol.  Both we and the original reporter believe
> this issue can NOT be used for code execution, but merely for a remote crash.
> The specific problem is a NULL pointer dereference.
> 
> Discovered by: Pierre Noguès
> 
> Public: no
> 
> Embargo date: none.
> 
> Attached is a patch written by Elliott Sales de Andrade that resolves the crash.
>  This fix will be included in Pidgin 2.7.0, which is currently aimed for a
> release late Monday night or Tuesday, but may be pushed back farther if needed
> for translations and coordinated releases.

<snip>

============================================================
--- libpurple/protocols/msn/slp.c	3791d1f2ebc50ec51989809ba3548a65f9cacc84
+++ libpurple/protocols/msn/slp.c	c3a93aa383cd7efd916831614a22261ca525c31b
@@ -929,6 +929,8 @@ msn_emoticon_msg(MsnCmdProc *cmdproc, Ms
  	conv = swboard->conv;

  	body = msn_message_get_bin_data(msg, &body_len);
+	if (!body || !body_len)
+		return;
  	body_str = g_strndup(body, body_len);

</snip>

Just for completeness, there are two occurrences of "void msn_emoticon_msg(MsnCmdProc *cmdproc, MsnMessage *msg);"
routine in *.c Pidgin source code:

1, .../pidgin-2.6.6/libpurple/protocols/msn/slp.c:910:msn_emoticon_msg(MsnCmdProc *cmdproc, MsnMessage *msg)
2, .../pidgin-2.6.6/libpurple/protocols/msnp9/slp.c:805:msn_emoticon_msg(MsnCmdProc *cmdproc, MsnMessage *msg)

So you probably want to fix both of them. Though not sure, how much widely the code in relevant "msnp9"
subdirectory is used nowadays.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> John
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list