Upcoming Pidgin security disclosures and 2.10.1

Jan Lieskovsky jlieskov at redhat.com
Sat Dec 10 16:00:03 EST 2011 

On 12/09/2011 09:44 PM, Mark Doliner wrote:
> On Fri, Dec 9, 2011 at 2:20 AM, Jan Lieskovsky<jlieskov at redhat.com>  wrote:
>>
>> 3) Will return to the CVE-2011-3594 issue yet.
>> a, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3594
>>    (Red Hat Bugzilla bug)
>> b,
>> http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
>>    (originally proposed upstream patch)
>> c,
>> http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_silc_crash_CVE-2011-3594.diff
>>    (the new CVE-2011-3594 patch version you mentioned in post from
>> 2011-12-06)
>>
>> Summary (diff b, vs c,):
>> ========================
>> The b, patch fixed the issue only in private messages. Patch c, is fixing
>> the issue
>> also in channel messages (with similar logic).
>>
>> Mark, can you confirm, the CVE-2011-3594 issue would be exploitable to cause
>> the
>> same harm in channel messages (intended to be fixed by new patch) as in
>> private
>> messages (already contained within patch b,)?
>
> That's my interpretation, yes.  I'm not really familiar with SILC,
> though, so I could be wrong.  That's a downside of us continue to
> include a virtually unmaintained IM protocol :-(

 From look at SILC protocol overview (slides #6, #7 and #8):

http://www.google.cz/url?sa=t&rct=j&q=silc%20protocol%20channel%20message&source=web&cd=5&ved=0CEsQFjAE&url=http%3A%2F%2Fwww.stanford.edu%2Fclass%2Fcs259%2FWWW04%2Fprojects%2Fproject07%2F07%2520-%2520Slides.ppt&ei=DbzjTvC8Co6VOvn22MUE&usg=AFQjCNEOFnpKHEpD2rJebZXhKHYcM5wq5w&cad=rja

looks a similar issue is possible in SILC channel messages too.

>
>> Asking, because this is true (basically same nature issue, just being
>> present
>> in different source code part), this would need a fourth CVE identifier
>> (as incomplete fix for CVE-2011-3594 issue).
>
> Hmm.  So you're saying a CVE pertains to a problem plus the associated
> fix for that problem?  I've always thought of them as pertaining only
> to the problem.

Yes, CVE identifiers are related with some deficiency but also with
a particular upstream patch. If another issue (though similar like previous
one) is found in different code part, it needs a new CVE id.

>
>> Could you confirm the channel source code is impersonates the same concern
>> as private messages issue?
>>
>> Once, confirmed I would allocate the fourth CVE identifier for channel
>> messages
>> issue too (so it can be fixed by Linux distribution vendors, who have had
>> already
>> applied original patch for CVE-2011-3594 issue).
>
> Yeah I think that's accurate.

Ok, thank you.

>
>> CVE recapitulation:
>> ii)  second CVE -- OSCAR UTF-8 issue. Going to be requested via OSS-security
>>      once public,
>>      One note here: Are we sure, we are fixing both instances (private vs
>>      channel OSCAR messages)?,
>
> I'm pretty confident that the oscar fix is complete--I was pretty
> thorough when investigating and writing the patch.  (I should point
> out that the oscar issue doesn't deal with private or channel
> messages.  It deals with authorization requests when adding ICQ
> buddies to your list.)

Ok, brilliant.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

More information about the Packagers mailing list