Remotely triggerable crash
datallah at pidgin.im
Fri Sep 10 14:30:49 EDT 2010
NOTE: This is non-public information, please don't post it publicly
(including committing fixes to public repositories) until after a
coordinated public disclosure has been made (e.g. after the release
containing the fix).
While investigating http://developer.pidgin.im/ticket/12614, I've
discovered what appears to be a remotely triggerable crash in the
If we receive a particular status key value that is NULL or has a
length of 1, a NULL pointer will be dereferenced.
The problem is that the return value of purple_base64_decode() isn't
being examined to make sure it isn't NULL before looking at the
changed-by-reference "length" value (which will not be set if the
function has failed to complete successfully). The mistaken
assumption is that if the "length" parameter ends up being >0, then
the function has succeeded.
As you can see in the ticket referenced above, this is something that
is already happening.
I looked through other uses of purple_base64_decode() and
purple_base16_decode() (which works in a similar way) and there appear
to be a number of other places where additional validation will need
to be done. It is possible that some of these are also exploitable,
but I need to look more carefully to be sure.
I'll come up with a patch in the next few days and we can figure out a
plan for a coordinated release, but I figured I'd give everyone a
heads up and get a few more eyes to evaluate the impact.
More information about the security