Denial of Service vulnerability in Pidgin
jlieskov at redhat.com
Mon Jun 20 12:07:26 EDT 2011
thank you for the preliminary notification about the issue(s).
On 06/20/2011 02:30 AM, Mark Doliner wrote:
> Helloooooooo packagers.
> Please do not release this information publicly until after the embargo date!
> I discovered a denial of service vulnerability that affects Pidgin
> (not libpurple or Finch). There are certain "corrupt" gif images that
> gdk-pixbuf is ALMOST able to parse, but not quite. Specifically
> gdk-pixbuf returns a semi-valid GdkPixbuf struct, however, it ALSO
> sets the GError parameter to an error message. In many places Pidgin
> only checks the return value and ignores the GError parameter. When
> Pidgin tries to resize this semi-bogus GdkPixbuf struct it causes
> GdkPixbuf to enter a loop and consume memory indefinitely.
> This bug can be exploited by a remote user setting a corrupt gif buddy
> icon and then sending you an IM. For some protocols (AIM at least) I
> do not believe it matters whether the person is on your buddy list.
> Because of how easy it is to perform this attack, I consider this to
> be a fairly serious vulnerability.
> I've attached a proposed patch. It's pretty large. I basically
> changed every usage of the gdk pixbuf functions regardless of whether
> they're remotely exploitable (because it's sometimes difficult to
> determine whether a specific usage is remotely exploitable). I'd love
> any feedback.
We have privately contacted Matthew Barnes, Red Hat Pidgin package
maintainer with the request to have a look at the proposed patch
and let us know his opinion / feedback. The need to keep this in
secret till the proposed embargo date was accented there, of course.
> If you look at it, start with the helper functions in
> gtkutils.[c|h]. Everything else is just changing the code to use
> these helper functions. I have not attached a corrupt gif because I'm
> worried that it might make its way into the wild. If anyone would
> like a gif to test with, please email me directly and I'll consider
Thank you for the proposal (will do so in separate reply shortly).
> Embargo date!
> I'd like to announce this and release a fix on Thursday, June 23
> (preferably late at night). That's really soon! Is that ok with
> everyone? I can provide new tarballs late Tuesday night.
We are OK with the proposed embargo date.
> Josh, Jan, and Tomas of Red Hat: Would you be able to issue a CVE for
> this issue? AFAIK one does not exist. (I believe Josh is already
> aware of the issue, as I notified the gnome security list a few weeks
This one looks to be CVE worthy. But prior definitely assigning it,
would like to give a proof of concept image a try. Would reply with
the final reply / conclusion tomorrow, if you don't mind.
> And again, please do not release this information publicly until after
> the embargo date!
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
> Packagers mailing list
> Packagers at pidgin.im
More information about the Packagers