Remotely triggerable crash

Daniel Atallah datallah at pidgin.im
Fri Sep 10 14:30:49 EDT 2010


NOTE:  This is non-public information, please don't post it publicly
(including committing fixes to public repositories) until after a
coordinated public disclosure has been made (e.g. after the release
containing the fix).

While investigating http://developer.pidgin.im/ticket/12614, I've
discovered what appears to be a remotely triggerable crash in the
yahoo protocol.

If we receive a particular status key value that is NULL or has a
length of 1, a NULL pointer will be dereferenced.

The problem is that the return value of purple_base64_decode() isn't
being examined to make sure it isn't NULL before looking at the
changed-by-reference "length" value (which will not be set if the
function has failed to complete successfully).  The mistaken
assumption is that if the "length" parameter ends up being >0, then
the function has succeeded.

As you can see in the ticket referenced above, this is something that
is already happening.

I looked through other uses of purple_base64_decode() and
purple_base16_decode() (which works in a similar way) and there appear
to be a number of other places where additional validation will need
to be done.  It is possible that some of these are also exploitable,
but I need to look more carefully to be sure.

I'll come up with a patch in the next few days and we can figure out a
plan for a coordinated release, but I figured I'd give everyone a
heads up and get a few more eyes to evaluate the impact.

-D


More information about the security mailing list