Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.

Mark Doliner mark at
Sat Dec 3 20:36:40 EST 2011

On Thu, Dec 1, 2011 at 10:40 PM, Paul Aurich <paul at> wrote:
> I'd like to propose the attached patch, which fixes the two crashes Thijs
> identified and the others I noticed.

Your changes look great to me.  I tested with the XMPP Console plugin
and it fixes the crashes caused by the two example stanzas provided by

> I'm not certain about the exit cases in jingle_rtp_init_media

Valgrind didn't complain about invalid memory accesses, so that's
good.  I did see a few memory leaks (possibly totally unrelated to the
crashes) and I took a stab at fixing them.  See revised attached

These crashes can be triggered remotely by someone not on your buddy
list, which is a remote denial of service attack, so I think we should
request a CVE via the packagers mailing list, and set an embargo date
for 5 or 6 days from now.  If this sounds good to people, and if my
revised attach looks ok, I can email packages Sunday or Monday.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposed-jingle-crash-fix-2.patch
Type: text/x-patch
Size: 9637 bytes
Desc: not available
URL: <>

More information about the security mailing list