Denial of Service vulnerability in Pidgin

Mark Doliner mark at kingant.net
Sun Jun 19 20:30:42 EDT 2011 

Helloooooooo packagers.

Please do not release this information publicly until after the embargo date!

I discovered a denial of service vulnerability that affects Pidgin
(not libpurple or Finch).  There are certain "corrupt" gif images that
gdk-pixbuf is ALMOST able to parse, but not quite.  Specifically
gdk-pixbuf returns a semi-valid GdkPixbuf struct, however, it ALSO
sets the GError parameter to an error message.  In many places Pidgin
only checks the return value and ignores the GError parameter.  When
Pidgin tries to resize this semi-bogus GdkPixbuf struct it causes
GdkPixbuf to enter a loop and consume memory indefinitely.

This bug can be exploited by a remote user setting a corrupt gif buddy
icon and then sending you an IM.  For some protocols (AIM at least) I
do not believe it matters whether the person is on your buddy list.
Because of how easy it is to perform this attack, I consider this to
be a fairly serious vulnerability.

I've attached a proposed patch.  It's pretty large.  I basically
changed every usage of the gdk pixbuf functions regardless of whether
they're remotely exploitable (because it's sometimes difficult to
determine whether a specific usage is remotely exploitable).  I'd love
any feedback.  If you look at it, start with the helper functions in
gtkutils.[c|h].  Everything else is just changing the code to use
these helper functions.  I have not attached a corrupt gif because I'm
worried that it might make its way into the wild.  If anyone would
like a gif to test with, please email me directly and I'll consider
it.

Embargo date!
I'd like to announce this and release a fix on Thursday, June 23
(preferably late at night).  That's really soon!  Is that ok with
everyone?  I can provide new tarballs late Tuesday night.

Josh, Jan, and Tomas of Red Hat: Would you be able to issue a CVE for
this issue?  AFAIK one does not exist.  (I believe Josh is already
aware of the issue, as I notified the gnome security list a few weeks
ago.)

And again, please do not release this information publicly until after
the embargo date!

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_gdkpixbuf_gerror.diff
Type: text/x-patch
Size: 31141 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110619/256382f3/attachment-0001.bin>

More information about the Packagers mailing list