Buffer overflow in Pidgin MXit protocol plugin

Jan Lieskovsky jlieskov at redhat.com
Tue Jul 3 09:05:51 EDT 2012 

Hi Mark,

   thank you for the notification.

On 07/03/2012 08:40 AM, Mark Doliner wrote:
> -- please do not release this information publicly until after the
> embargo date --
>
> (cc'ing the discoverer of this bug as well as the developers of the
> MXit protocol plugin)
>
> Hello packagers of Pidgin for various operating systems,
>
> Ulf Härnhammar found and privately reported to us a buffer overflow
> when handling an incoming instant message in the MXit protocol plugin.
>   I believe this bug can be exploited by a remote user to cause a
> crash, and in some circumstances can lead to remote code execution.  I
> believe this to be a fairly serious bug for any users of the MXit
> protocol plugin (it's one of the standard protocols that we include
> and is popular in South Africa).
>
> The fix is pretty easy.  You can find a patch for the problem, as well
> as tarballs for 2.10.5 here:
> http://pidgin.im/~markdoliner/lkFja97sFw89/  This is sensitive
> information!  Please be careful not to share this with the public.
> Please be careful not to post it on public bug trackers, commit it to
> public version control systems, etc.
>
> The embargo date is 16:00 UTC on 2012-07-05 (roughly three days from
> now).  At this time we will post this information at
> http://pidgin.im/news/security/?id=64 and we will release Pidgin
> 2.10.5 containing the attached patch.
>
> Josh, Jan, and Tomas of Red Hat: Would you be able to issue a CVE for
> this issue?  AFAIK one does not exist and the issue is not public.

Please use CVE-2012-3374 identifier for this issue.

>
> Thanks, and please let me know if anyone has any questions.
> --Mark

Mark / Ulf, do you possibly have a reproducer (crafted RX message data /
emoticon tag), which could be used to reproduce this flaw in our own
lab testing environment?

If so, would you mind sharing it (privately [1]) with us? (so we would
have a testing scenario to provide to the testing engineers)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Please use the following GPG key for sharing any sensitive information
       with us:
       [1] https://access.redhat.com/security/team/key/

       The reproducer provided (if any) will be handled carefully / as confidential,
       and will *never* be made public. As clarified earlier, it's intended to serve
       only for internal issue and patch testing purposes.
>
> -- please do not release this information publicly until after the
> embargo date --
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
>

More information about the Packagers mailing list