Upcoming Pidgin security disclosures and 2.10.1

Jan Lieskovsky jlieskov at redhat.com
Thu Dec 8 07:08:32 EST 2011 

Hello Mark,

   thank you for the preliminary notification and apologize for
the delayed reply (this week has been busy from its beginning).

On 12/06/2011 10:57 AM, Mark Doliner wrote:
> Hi packagers of Pidgin!  Please don't disclose the following
> information to the public until after the embargo date!
>
> We've been made aware of 3 remote-crash bugs in Pidgin for which we'll
> be releasing version 2.10.1.

Prior assigning a CVE identifier for this, let me better understand
its impact.

>
> 1. Remote crash in XMPP handling incoming malformed jingle stanzas.
> This issue is not yet public.  Thijs Alkemade discovered it and
> notified us privately on October 23.  Josh, Jan, and Tomas of Red Hat:
> Would one of you be able to issue a CVE for this issue?  A patch can
> be downloaded from
> http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_jabber_crash.diff

 From what I can tell after looking at the patch, it's fixing multiple
NULL pointer deference flaws, right?

Further context:
The point of adding purple_strequal() routine:
[1] http://developer.pidgin.im/ticket/7790

seems to be to have available a routine, which would duplicate content
of one argument to the other without crashing when receiving NULL pointer
/ value, right?

And by you referenced patch above, seems to ensure, that we wouldn't crash
when there are NULL values provided in various fields of Jabber Jingle
stanza, right?

Thus this shouldn't be exploitable for anything more than just pidgin
crash via specially-crafted Jingle stanza, right?

Also, to fix these issues in older (v2.6) Pidgin versions, it wouldn't
be sufficient to apply the above proposed patch, but also to apply
the commit introducing the purple_strequal() routine, right?
(if this got introduced later than in v2.6 version)

>
> 2. Remote crash in oscar when handling incoming buddy list-related
> SNACs.  Evgeny Boger discovered this and unfortunately notified us via
> our public bug tracker (http://developer.pidgin.im/ticket/14682), so
> the issue is considered public.  I do not believe a CVE exists for
> this yet.  I'll request a CVE from the oss-security at lists.openwall.com

Yes, OSS security mailing list would be the more safest solution, how
to request a CVE id for this (since this is already semipublic).

> mailing list closer to the embargo date.  A patch can be downloaded
> from http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_oscar_crash.diff

 From look at the patch it implies, this is similar issue (IOW heap based
buffer overflow) like CVE-2011-3594 was. Just not in SILC plug-in this
time, but rather in Oscar protocol plug-in.

>
> 3. Remote crash in SILC when handling incoming messages.  This is the
> same issue Ethan emailed this list about on September 29th (yes, we're
> just now doing a Pidgin release to fix it).  Diego Bauche Madero from
> IOActive discovered this and notified us via our public bug tracker
> (http://developer.pidgin.im/ticket/14636).  Ethan has already obtained
> CVE-2011-3594.  Ethan included a partial patch in his previous email.
> A more complete patch can be downloaded from
> http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_silc_crash_CVE-2011-3594.diff

Thank you for posting this. We will compare it to that one, which got
applied by us already:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3594
[3] 
http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8

>
> Lastly, we're planning to release 2.10.1 and disclose this information
> to the public on Saturday, Dec 10 at noon PST (20:00 UTC).

Thank you for clear embargo date and time.

   We have
> tagged 2.10.1 and built tarballs.  If you'd like to get a head start
> on your packaging, you can download them from
> http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/
>
> Once again, the above information is private until after the embargo
> date!  Please do not release this information publicly, or any of
> these URLs, or any of the files from those URLs, until after the
> embargo date!  That includes not entering this information into public
> public trackers or checking these files into public
> archives/repositories.

Sure thing. Understood.

Once you confirm / clarify / comment the impact of the first issue,
I will ask my team-mate to assign CVE id for this (as I don't have
this privilege directly) and would let you know it.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> Thanks,
> Mark
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list