Upcoming Pidgin security disclosures and 2.10.1

Mark Doliner mark at kingant.net
Fri Dec 9 15:44:00 EST 2011 

On Fri, Dec 9, 2011 at 2:20 AM, Jan Lieskovsky <jlieskov at redhat.com> wrote:
>
> 3) Will return to the CVE-2011-3594 issue yet.
> a, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3594
>   (Red Hat Bugzilla bug)
> b,
> http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
>   (originally proposed upstream patch)
> c,
> http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_silc_crash_CVE-2011-3594.diff
>   (the new CVE-2011-3594 patch version you mentioned in post from
> 2011-12-06)
>
> Summary (diff b, vs c,):
> ========================
> The b, patch fixed the issue only in private messages. Patch c, is fixing
> the issue
> also in channel messages (with similar logic).
>
> Mark, can you confirm, the CVE-2011-3594 issue would be exploitable to cause
> the
> same harm in channel messages (intended to be fixed by new patch) as in
> private
> messages (already contained within patch b,)?

That's my interpretation, yes.  I'm not really familiar with SILC,
though, so I could be wrong.  That's a downside of us continue to
include a virtually unmaintained IM protocol :-(

> Asking, because this is true (basically same nature issue, just being
> present
> in different source code part), this would need a fourth CVE identifier
> (as incomplete fix for CVE-2011-3594 issue).

Hmm.  So you're saying a CVE pertains to a problem plus the associated
fix for that problem?  I've always thought of them as pertaining only
to the problem.

> Could you confirm the channel source code is impersonates the same concern
> as private messages issue?
>
> Once, confirmed I would allocate the fourth CVE identifier for channel
> messages
> issue too (so it can be fixed by Linux distribution vendors, who have had
> already
> applied original patch for CVE-2011-3594 issue).

Yeah I think that's accurate.

> CVE recapitulation:
> ii)  second CVE -- OSCAR UTF-8 issue. Going to be requested via OSS-security
>     once public,
>     One note here: Are we sure, we are fixing both instances (private vs
>     channel OSCAR messages)?,

I'm pretty confident that the oscar fix is complete--I was pretty
thorough when investigating and writing the patch.  (I should point
out that the oscar issue doesn't deal with private or channel
messages.  It deals with authorization requests when adding ICQ
buddies to your list.)

More information about the Packagers mailing list