Upcoming Pidgin security disclosures
Tomas Hoger
thoger at redhat.com
Fri Aug 19 08:38:45 EDT 2011
On Thu, 18 Aug 2011 02:14:18 -0700 Mark Doliner wrote:
> 2. Remote crash in MSN protocol plugin (yes, another one). You
> haven't heard about this one yet. Caused by incorrect handling of
> HTTP 100 Continue responses from MSN servers when using the HTTP
> connection method. The HTTP connection method is not a default
> setting--it must have been enabled by the user for them to be
> susceptible to this attack. We believe it is not possible to execute
> code. It is possible for the server to trigger a crash.
Is this a buffer over-read as the patch suggests? Looks like the
server needs to provide enough headers for the over-read size to be of
its choosing.
> We do not know whether it is possible for a remote user to trigger a
> crash, but it seems unlikely to us. This bug isn't too bad, so my
> preference is to NOT get a CVE# for it. But if people think a CVE#
> is a good idea then let's do it.
I'd say this should really depend on whether crashes by malicious
servers (or MITM attackers manipulating traffic to/from a server) are
considered security for pidgin, or rather viewed as undesired nuisance
which is still fairly unimportant compared to the actual use of
malicious server / MITMed server connection. I agree this sounds more
like a bug.
--
Tomas Hoger / Red Hat Security Response Team
More information about the Packagers
mailing list