Potential local information disclosure in libpurple/cipher.c

John Bailey rekkanoryo at rekkanoryo.org
Thu Feb 3 20:56:40 EST 2011


Hello,

Julia Lawall informed us of a few potential information leaks in
libpurple/cipher.c.  There are a number of functions which intend to clear a
data structure before freeing it.  As written, however, they effectively serve
to clear only the first sizeof(void *) bytes of the structure (that is, only as
many bytes as the size of a pointer are cleared).

Upon discussion, Ethan Blanton and I believe that this does not warrant the
issuing of a CVE ID, as we feel it does not meet those guidelines.  We also
believe these flaws aren't remotely exploitable and are mostly sloppiness.

The attached patch will be included in Pidgin 2.7.10, which I intend to release
this Sunday evening (sometime between 6:00 PM and 12:00 AM US EST).

John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-info-leak.diff
Type: text/x-patch
Size: 1917 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110203/849bc53f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110203/849bc53f/attachment.pgp>


More information about the Packagers mailing list