Vulnerabilities in Yahoo protocol plugin

John Bailey rekkanoryo at rekkanoryo.org
Sat Mar 5 14:03:35 EST 2011


Hello, packagers,

Marius Wachtler discovered three remote crash bugs in our Yahoo protocol
handler.  All three of these are due to improper handling of malformed YMSG
packets that are missing fields we expect to be present, causing NULL pointer
dereferences.

The first bug is in the handling of SMS messages, which always are processed
through the Yahoo servers, making exploiting this bug rather difficult but still
possible.

The second and third bugs are in the handling of notification packets.  These
bugs can be triggered during peer-to-peer communication as well as through
packets processed through the Yahoo servers.  Again, processing through Yahoo's
servers makes the bug difficult to exploit, but when using peer-to-peer
connections these two bugs are trivial to exploit.

Just for clarification, remote code execution is not possible from these issues.
 We also do not know of anyone actively exploiting these bugs.  As this is a
remote crash bug, I believe a CVE identifier is in order.  If anyone can assign
us one, we'd appreciate it.

Attached is a patch that fixes the problems.  We will be releasing Pidgin 2.7.11
with this patch included this coming Thursday, 2011-03-10.  The release will
happen in the US EST evening timeframe, likely around 8:00 PM or so, but
possibly slightly later.

John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yahoo-sms-notify-remote-crash-fix.diff
Type: text/x-patch
Size: 1218 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110305/b3960be0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110305/b3960be0/attachment.pgp>


More information about the Packagers mailing list