Denial of Service vulnerability in Pidgin

Jan Lieskovsky jlieskov at redhat.com
Mon Jun 20 12:07:26 EDT 2011 

Hello, Mark,

   thank you for the preliminary notification about the issue(s).

On 06/20/2011 02:30 AM, Mark Doliner wrote:
> Helloooooooo packagers.
>
> Please do not release this information publicly until after the embargo date!
>
> I discovered a denial of service vulnerability that affects Pidgin
> (not libpurple or Finch).  There are certain "corrupt" gif images that
> gdk-pixbuf is ALMOST able to parse, but not quite.  Specifically
> gdk-pixbuf returns a semi-valid GdkPixbuf struct, however, it ALSO
> sets the GError parameter to an error message.  In many places Pidgin
> only checks the return value and ignores the GError parameter.  When
> Pidgin tries to resize this semi-bogus GdkPixbuf struct it causes
> GdkPixbuf to enter a loop and consume memory indefinitely.
>
> This bug can be exploited by a remote user setting a corrupt gif buddy
> icon and then sending you an IM.  For some protocols (AIM at least) I
> do not believe it matters whether the person is on your buddy list.
> Because of how easy it is to perform this attack, I consider this to
> be a fairly serious vulnerability.
>
> I've attached a proposed patch.  It's pretty large.  I basically
> changed every usage of the gdk pixbuf functions regardless of whether
> they're remotely exploitable (because it's sometimes difficult to
> determine whether a specific usage is remotely exploitable).  I'd love
> any feedback.

We have privately contacted Matthew Barnes, Red Hat Pidgin package
maintainer with the request to have a look at the proposed patch
and let us know his opinion / feedback. The need to keep this in
secret till the proposed embargo date was accented there, of course.

>  If you look at it, start with the helper functions in
> gtkutils.[c|h].  Everything else is just changing the code to use
> these helper functions.  I have not attached a corrupt gif because I'm
> worried that it might make its way into the wild.  If anyone would
> like a gif to test with, please email me directly and I'll consider
> it.

Thank you for the proposal (will do so in separate reply shortly).

>
> Embargo date!
> I'd like to announce this and release a fix on Thursday, June 23
> (preferably late at night).  That's really soon!  Is that ok with
> everyone?  I can provide new tarballs late Tuesday night.

We are OK with the proposed embargo date.

>
> Josh, Jan, and Tomas of Red Hat: Would you be able to issue a CVE for
> this issue?  AFAIK one does not exist.  (I believe Josh is already
> aware of the issue, as I notified the gnome security list a few weeks
> ago.)

This one looks to be CVE worthy. But prior definitely assigning it,
would like to give a proof of concept image a try. Would reply with
the final reply / conclusion tomorrow, if you don't mind.

>
> And again, please do not release this information publicly until after
> the embargo date!

Understood.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> --Mark
>
>
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list