remote crasher in the IRC WHO changes

Ethan Blanton elb at pidgin.im
Wed Jul 6 18:27:39 EDT 2011


Hi all,

The IRC WHO changes which went into 2.8.0 have parsing errors which
are potential remote crashers.  Not only is the incoming message
wrongly tokenized (which I think is the cause of #14341), but the
message is used without verifying that it is intact.

Exploiting this crasher (and I believe it is only a crasher; NULL
pointer dereferences or invalid UTF-8 strings are the culprits)
requires a complicit server for NULL pointer dereferences, but I
believe can be triggered with bogus nicknames on some servers which
allow non-ASCII nicks.  (This is #14341.)

A patch which I believe fixes the WHO parsing errors is available from:

    http://pidgin.im/~elb/private/irc_who_fix.diff

I suspect we want to embargo this for 2.9.1.

Paul, you seem to have reproduced the bug in #14341, can you try this
patch and see if it fixes it?

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110706/e9904ad9/attachment.pgp>


More information about the security mailing list