libpurple vulnerability disclosure and fix

Ethan Blanton elb at psg.com
Sat Oct 1 16:48:00 EDT 2011


Hello all,

A libpurple vulnerability was made known to the Pidgin developers via
our public bug tracker which affects the SILC protocol plugin and all
software which uses SILC via libpurple.  The original identification
of the vulnerability and bug report was made by Diego Bauche Madero
from IOActive <diego.madero at ioactive.com>, and can be seen on the
Pidgin bug tracker as Bug #14636:

    http://developer.pidgin.im/ticket/14636

The vulnerability lies in calling g_markup_escape_text() on strings
which have not been verified as valid UTF-8.  This function is not
required to do anything reasonable with invalid UTF-8, and indeed
reads past the end of the string and will eventually segfault for
certain sequences in some versions of Glib 2.  Because the behavior of
this function is undefined, and depends on the particular version of
Glib 2 in use, the complete ramifications of this bug are unknown.
Remote crashing of a libpurple client by untrusted users via
specifically crafted SILC messages is a verified vulnerability.

This bug is believed to affect all releases of libpurple up to and
including version 2.10.0.

The correct fix for this bug is UTF-8 validation (and correction if
necessary) of the incoming string before passing it to Glib.  A patch
which provides this fix has been applied to the Pidgin sources in
revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
all future Pidgin releases.  For reference, it is:

    http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8

All packagers of libpurple (including monolithic Pidgin and/or finch
packages) who have not already done so are encouraged to apply this
change to their packages immediately.

We would also like to request a CVE number for this issue.

Any sensitive follow-ups to this issue, or any other Pidgin, finch, or
libpurple issue, may be directed to security at pidgin.im.

Thank you,
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111001/e6ef1f7c/attachment.pgp>


More information about the security mailing list