Inadvertent public disclosure of remote crasher

Jan Lieskovsky jlieskov at redhat.com
Fri Sep 30 04:15:45 EDT 2011 

Hello Ethan,

   thank you for the notification. It is appreciated.

On 09/30/2011 04:45 AM, Ethan Blanton wrote:
> Hi all,
>
> There has been a public disclosure, along with enough information to
> reproduce, of a remote crasher in our SILC plugin:
>
>      http://developer.pidgin.im/ticket/14636

The reporter in that ticket mentions there might be more occurrences
of the same deficiency in the Pidgin code. Quoting him, to be exact:

"I'm not sure if this is bug is only found inside the SILC plugin, I
did not check other protocols, but anything using
g_markup_escape_text() without making sure it is proper UTF-8 is
potentially susceptible to the same problems."

Simple grep of the code returns:

pidgin-2.10.0]# grep -rHn "g_markup_escape_text" * | wc -l
241

Wondering if you had chance to look / investigate also other places /
occurrences of the same function call yet? If not, is there a plan
to do so?

>
> I believe I have introduced a correct fix for this bug to the monotone
> repository as 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8.  I have
> attached it to this email.
>
> You may wish to release patched packages at your convenience.

Ok, thank you for this approval.

> As this
> bug was publicly disclosed before the fix was available, there is no
> embargo.  We will be requesting a CVE as soon as we gather the
> appropriate information from the discoverer.

Since the issue being public already, we can't assign a CVE identifier
(since we would risk CVE duplicate. Maybe you aware of the policy 
already though). In any case, once the required information retrieved,
would it be possible you to request the CVE identifier via the 
oss-security mailing list channel:?
[1] http://oss-security.openwall.org/wiki/mailing-lists/oss-security

>  I do not know what the
> current schedule is for 2.10.1, but we will keep you posted.

Thank you again.

>
> Apologies for the mad scramble, I will be discussing appropriate
> disclosure techniques with the reporter.

No worries. Thank you again for the timely notification.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> Ethan
>
>
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list