Pidgin 2.8.0: MSN, No QQ...
Jan Lieskovsky
jlieskov at redhat.com
Thu May 12 11:53:09 EDT 2011
Hello, Paul,
thank you for the preliminary report and for the patch.
Paul Aurich wrote:
> And Paul Aurich spoke on 05/11/2011 09:44 PM, saying:
>> 2) We have a remote crashing (NULL deref) bug in the MSN protocol plugin,
>> for which we probably need a CVE#. Our resident MSN expert, Elliott,
>> believes it's not exploitable by another user, although a malicious entity
>> MITMing a Pidgin user could crash Pidgin.
This does not sound like a security flaw. If the attacker can MITM a pidgin
user, they could insert / modify all their data.
Why Pidgin upstream thinks this should be considered a security issue?
Having read your above description, would formulate the problem as:
A NULL pointer deference flaw was found in the way Pidgin MSN protocol handler
processed user session identifier data from a HTTP connection. A remote
attacker could use this flaw to spoof the Pidgin client and conduct
man-in-the-middle (MITM) attacks via specially-crafted user session identifier,
leading to Pidgin crash.
But if the above paragraph is correct, this would not be considered to
be a security issue (if the attacker can MITM / insert crafted 'full_session_id'
they can modify everything).
Could you clarify on the attack vector? (if the above paragraph is not correct)
Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
>> I've attached the proposed patch
>> from Mark Doliner.
>
> Naturally, the attached patch is more correct; that other one contained
> extraneous stuff from my tree.
>
> ~Paul
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
More information about the Packagers
mailing list