Upcoming Pidgin security disclosures

Tomas Hoger thoger at redhat.com
Fri Aug 19 08:38:45 EDT 2011

On Thu, 18 Aug 2011 02:14:18 -0700 Mark Doliner wrote:

> 2. Remote crash in MSN protocol plugin (yes, another one).  You
> haven't heard about this one yet.  Caused by incorrect handling of
> HTTP 100 Continue responses from MSN servers when using the HTTP
> connection method.  The HTTP connection method is not a default
> setting--it must have been enabled by the user for them to be
> susceptible to this attack.  We believe it is not possible to execute
> code.  It is possible for the server to trigger a crash.

Is this a buffer over-read as the patch suggests?  Looks like the
server needs to provide enough headers for the over-read size to be of
its choosing.

> We do not know whether it is possible for a remote user to trigger a
> crash, but it seems unlikely to us.  This bug isn't too bad, so my
> preference is to NOT get a CVE# for it.  But if people think a CVE#
> is a good idea then let's do it.

I'd say this should really depend on whether crashes by malicious
servers (or MITM attackers manipulating traffic to/from a server) are
considered security for pidgin, or rather viewed as undesired nuisance
which is still fairly unimportant compared to the actual use of
malicious server / MITMed server connection.  I agree this sounds more
like a bug.

Tomas Hoger / Red Hat Security Response Team

More information about the Packagers mailing list