Pidgin 2.10.4 and a possible remote crash

Jan Lieskovsky jlieskov at redhat.com
Mon May 7 06:41:08 EDT 2012 

Hi Mark,

   thank you for the notification.

On 05/07/2012 07:34 AM, Mark Doliner wrote:
> FYI we just released Pidgin 2.10.4.  Publicly we listed two potential
> remote crashes.  Privately, I'm not concerned about the XMPP one at
> all.  I think it requires the victim to accept a file transfer before
> the crash is triggered.  The reporter obtained a CVE for this on his
> own (CVE-2012-2214).
>
> The MSN remote crash seems worse to me.  I think it's worth patching.
> I don't believe a CVE exists for this, and I'm about to request one.

Due the MSN issue. From what I can tell from the information available
and the relevant upstream patch:
http://developer.pidgin.im/viewmtn/revision/diff/d991ff6d558d185527a09eae0378edb3fc7057a5/with/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad/libpurple/protocols/msn/msg.c

looks like the crash is happening at g_convert() routine:

-		char *body = g_convert(msg->body, msg->body_len, "UTF-8",
-				"ISO-8859-1", NULL, &msg->body_len, NULL);

When compared with the definition:
http://developer.gnome.org/glib/2.30/glib-Character-Set-Conversion.html#g-convert

has upstream investigated the reason of this crash further?

In other words, are you able to tell if the crash is happening due to invalid
read out of heap-based buffer (yet by attempt to access value for some of:

msg->body, msg->body_len or &msg->body_len

arguments), or if it could lead also to invalid heap-based buffer write?
(later in the code)

Do you have and would you be willing to privately share with us such snippet
of MSN incoming message containing crafted characters or character encodings,
which would lead to client crash? (so we could investigate further if this
is just pidgin / MSN plug-in crash, or if there is also invalid write happening
internally to properly set up impact of this issue)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> Info about the two problems here:
> http://pidgin.im/news/security/?id=62 (xmpp)
> http://pidgin.im/news/security/?id=63 (msn)
>
> Diff to fix the XMPP bug:
> http://developer.pidgin.im/viewmtn/revision/rawdiff/ff142855237badeceb6d61e1d96f0410f94d6eaf/with/d991ff6d558d185527a09eae0378edb3fc7057a5
>
> Diff to fix the MSN bug:
> http://developer.pidgin.im/viewmtn/revision/rawdiff/d991ff6d558d185527a09eae0378edb3fc7057a5/with/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad
>
> In addition, 2.10.4 supports building against the renamed "Farstream"
> library for voice and video (in addition to the original "Farsight"
> name).
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list