Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.
Mark Doliner
mark at kingant.net
Sat Dec 3 20:36:40 EST 2011
On Thu, Dec 1, 2011 at 10:40 PM, Paul Aurich <paul at darkrain42.org> wrote:
> I'd like to propose the attached patch, which fixes the two crashes Thijs
> identified and the others I noticed.
Your changes look great to me. I tested with the XMPP Console plugin
and it fixes the crashes caused by the two example stanzas provided by
Thijs.
> I'm not certain about the exit cases in jingle_rtp_init_media
Valgrind didn't complain about invalid memory accesses, so that's
good. I did see a few memory leaks (possibly totally unrelated to the
crashes) and I took a stab at fixing them. See revised attached
patch.
These crashes can be triggered remotely by someone not on your buddy
list, which is a remote denial of service attack, so I think we should
request a CVE via the packagers mailing list, and set an embargo date
for 5 or 6 days from now. If this sounds good to people, and if my
revised attach looks ok, I can email packages Sunday or Monday.
--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposed-jingle-crash-fix-2.patch
Type: text/x-patch
Size: 9637 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111203/342f17da/attachment.bin>
More information about the security
mailing list