ICQ excessive memory allocation again

Mark Doliner mark at kingant.net
Wed Jul 21 12:19:04 EDT 2010


On Wed, May 26, 2010 at 11:01 AM, Mark Doliner <mark at kingant.net> wrote:
> On Fri, Feb 26, 2010 at 5:10 PM, Jan Kaluza <hanzz.k at gmail.com> wrote:
>> Hi,
>> I'm using libpurple as network library for my XMPP Transport. I think
>> I have similar problem to one security issue which should be already
>> fixed in 2.5.8 ( http://pidgin.im/news/security/?id=33 ). I think I
>> don't have to describe my problem more, because symptoms are basically
>> the same as in mentioned issue. Unfortunately I can't say what client
>> caused it. I'm using libpurple 2.6.5. I will keep the core dump and
>> current binary for required time, so feel free to ask me for more
>> informations.
>>
>> These are last few lines of the debug log:
>> [02/26/10 10:01:05] <libpurple/oscar> incomingim_ch1: unknown TLV
>> 0x000d (len 40)
>> [02/26/10 10:01:05] <libpurple/oscar> Received IM from 442406467 with 1 parts
>> [02/26/10 10:01:05] <libpurple/oscar> Parsing IM part, charset=0x0002,
>> charsubset=0x0026, datalen=122, choice1=UTF-16BE, choice2=UTF-8,
>> choice3=
>> [02/26/10 10:01:05] <libpurple/oscar> Received a channel 4 message of type 0x1a.
>>
>> GLib-ERROR **: gmem.c:135: failed to allocate 3137339393 bytes
>> aborting...
>
> Hi Jan.  Thanks for letting us know about this!  And sorry we haven't
> responded to your email!  I should probably get most of the blame
> since I'm more responsible for oscar code than other people, and I
> think I wrote the code that's crashing.
>
> I can confirm that this does indeed still crash.  We see it at Meebo
> occasionally.  But I don't know what causes it and I've been unable to
> reproduce it.  You don't happen to know how to trigger this bug, do
> you?  The code that's crashing deals with "SMS or someone has sent you
> a greeting card or requested buddies."
>
> Since I don't really know what an ICQ SMS is and can't find a way to
> send one to myself, I'm leaning towards disabling that code.  And if
> we don't know how to trigger this crash then I'd vote for not
> bothering with a CVE or notifying packagers, since it doesn't seem to
> be too serious of a problem.

This is fixed in im.pidgin.pidgin, im.pidgin.pidgin.2.7.2, and Pidgin
2.7.2, which is half way released.
http://pidgin.im/pipermail/commits/2010-July/017855.html
http://pidgin.im/pipermail/commits/2010-July/017853.html
https://sourceforge.net/projects/pidgin/files/Pidgin/2.7.2/

Thanks!
--Mark


More information about the security mailing list