potential information leak in libpurple/cipher.c?

Julia Lawall julia at diku.dk
Tue Feb 1 10:29:27 EST 2011

On Tue, 1 Feb 2011, Ethan Blanton wrote:

> Julia Lawall spake unto us the following wisdom:
> > In pidgin version 2.7.9, libpurple/cipher.c contains a number of functions 
> > like the following, which appear to have the goal of clearing a data 
> > structure before freeing it:
> [snip]
> > The call to memset, however, has as third argument the size of a pointer, 
> > and not the size of the data structure referenced by that pointer, and so 
> > only the first few bytes of the structure get cleared.
> It appears that you are correct.  Thank you for your input, and we
> will try to get this fixed in the next release.  While this is not an
> immediately exploitable flaw, we take security concerns such as this
> seriously.  If you or your organization have an established method for
> disclosure of such flaws, please embargo your disclosure until we have
> a chance to release; we have a release scheduled more or less
> immediately, but I am not sure what its status is.  If we do not make
> it into this release, it will likely be a few weeks.  We will let you
> know.
> Thanks again, and we will keep you updated!



More information about the security mailing list