Denial of Service vulnerability in Pidgin
mark at kingant.net
Sun Jun 19 20:30:42 EDT 2011
Please do not release this information publicly until after the embargo date!
I discovered a denial of service vulnerability that affects Pidgin
(not libpurple or Finch). There are certain "corrupt" gif images that
gdk-pixbuf is ALMOST able to parse, but not quite. Specifically
gdk-pixbuf returns a semi-valid GdkPixbuf struct, however, it ALSO
sets the GError parameter to an error message. In many places Pidgin
only checks the return value and ignores the GError parameter. When
Pidgin tries to resize this semi-bogus GdkPixbuf struct it causes
GdkPixbuf to enter a loop and consume memory indefinitely.
This bug can be exploited by a remote user setting a corrupt gif buddy
icon and then sending you an IM. For some protocols (AIM at least) I
do not believe it matters whether the person is on your buddy list.
Because of how easy it is to perform this attack, I consider this to
be a fairly serious vulnerability.
I've attached a proposed patch. It's pretty large. I basically
changed every usage of the gdk pixbuf functions regardless of whether
they're remotely exploitable (because it's sometimes difficult to
determine whether a specific usage is remotely exploitable). I'd love
any feedback. If you look at it, start with the helper functions in
gtkutils.[c|h]. Everything else is just changing the code to use
these helper functions. I have not attached a corrupt gif because I'm
worried that it might make its way into the wild. If anyone would
like a gif to test with, please email me directly and I'll consider
I'd like to announce this and release a fix on Thursday, June 23
(preferably late at night). That's really soon! Is that ok with
everyone? I can provide new tarballs late Tuesday night.
Josh, Jan, and Tomas of Red Hat: Would you be able to issue a CVE for
this issue? AFAIK one does not exist. (I believe Josh is already
aware of the issue, as I notified the gnome security list a few weeks
And again, please do not release this information publicly until after
the embargo date!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 31141 bytes
Desc: not available
More information about the Packagers