Possible null-pointer dereference in libpurple /protocols/yahoo/libymsg.c

John Bailey rekkanoryo at rekkanoryo.org
Thu Feb 24 20:16:34 EST 2011

On 02/22/2011 10:46 PM, Marius Wachtler wrote:
> Hello
> I think I have found a remote triggerable null-pointer dereference in libpurple.
> Maybe this is a false alert because I found the suspected code only by
> inspection and have not written any real app which tries to crash
> pidgin.
> Hope this helps and I have not overlooked something and wasted your time.

Hello, Marius,

Thanks for this report!  You have not overlooked anything that I can see.  The
specific problem here is we assume that incoming packets will be properly
formed, containing all the expected (necessary) key/value pairs.  I'm not sure
if it's actually possible to get a packet malformed in the way you describe to
pass through the server to a remote client.  In the interest of safety, I will,
of course, investigate a fix for this.

Since this is something that isn't exactly high-visibility, I'd like to propose
that this vulnerability not be disclosed until 2011-03-10, when I plan to push
the release of Pidgin 2.7.11 with a fix to this issue.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110224/8f11ea8c/attachment.pgp>

More information about the security mailing list