Vulnerabilities in Yahoo protocol plugin

Jan Lieskovsky jlieskov at redhat.com
Tue Mar 8 07:33:06 EST 2011


Hi John,

   thank you for the preliminary notification.

John Bailey wrote:
> Hello, packagers,
> 
> Marius Wachtler discovered three remote crash bugs in our Yahoo protocol
> handler.  All three of these are due to improper handling of malformed YMSG
> packets that are missing fields we expect to be present, causing NULL pointer
> dereferences.
> 
> The first bug is in the handling of SMS messages, which always are processed
> through the Yahoo servers, making exploiting this bug rather difficult but still
> possible.
> 
> The second and third bugs are in the handling of notification packets.  These
> bugs can be triggered during peer-to-peer communication as well as through
> packets processed through the Yahoo servers.  Again, processing through Yahoo's
> servers makes the bug difficult to exploit, but when using peer-to-peer
> connections these two bugs are trivial to exploit.
> 
> Just for clarification, remote code execution is not possible from these issues.
>  We also do not know of anyone actively exploiting these bugs.  As this is a
> remote crash bug, I believe a CVE identifier is in order.

Since the impact of all of the three flaws is the same (NULL pointer dereference,
leading to denial of service), one CVE id will be enough.

Please use CVE-2011-1091 for referencing these.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

   If anyone can assign
> us one, we'd appreciate it.
> 
> Attached is a patch that fixes the problems.  We will be releasing Pidgin 2.7.11
> with this patch included this coming Thursday, 2011-03-10.  The release will
> happen in the US EST evening timeframe, likely around 8:00 PM or so, but
> possibly slightly later.
> 
> John
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers



More information about the Packagers mailing list