Pidgin 2.8.0: MSN, No QQ...

Jan Lieskovsky jlieskov at redhat.com
Thu May 12 11:53:09 EDT 2011


Hello, Paul,

   thank you for the preliminary report and for the patch.

Paul Aurich wrote:
> And Paul Aurich spoke on 05/11/2011 09:44 PM, saying:
>> 2) We have a remote crashing (NULL deref) bug in the MSN protocol plugin,
>> for which we probably need a CVE#.  Our resident MSN expert, Elliott,
>> believes it's not exploitable by another user, although a malicious entity
>> MITMing a Pidgin user could crash Pidgin.

This does not sound like a security flaw. If the attacker can MITM a pidgin
user, they could insert / modify all their data.

Why Pidgin upstream thinks this should be considered a security issue?

Having read your above description, would formulate the problem as:

A NULL pointer deference flaw was found in the way Pidgin MSN protocol handler
processed user session identifier data from a HTTP connection. A remote
attacker could use this flaw to spoof the Pidgin client and conduct
man-in-the-middle (MITM) attacks via specially-crafted user session identifier,
leading to Pidgin crash.

But if the above paragraph is correct, this would not be considered to
be a security issue (if the attacker can MITM / insert crafted 'full_session_id'
they can modify everything).

Could you clarify on the attack vector? (if the above paragraph is not correct)

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>> I've attached the proposed patch
>> from Mark Doliner.
> 
> Naturally, the attached patch is more correct; that other one contained
> extraneous stuff from my tree.
> 
> ~Paul
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers



More information about the Packagers mailing list