[oss-security] libpurple vulnerability disclosure and fix

Josh Bressers bressers at redhat.com
Tue Oct 4 14:02:09 EDT 2011

Please use CVE-2011-3594.



----- Original Message -----
> Hello all,
> A libpurple vulnerability was made known to the Pidgin developers via
> our public bug tracker which affects the SILC protocol plugin and all
> software which uses SILC via libpurple.  The original identification
> of the vulnerability and bug report was made by Diego Bauche Madero
> from IOActive <diego.madero at ioactive.com>, and can be seen on the
> Pidgin bug tracker as Bug #14636:
>     http://developer.pidgin.im/ticket/14636
> The vulnerability lies in calling g_markup_escape_text() on strings
> which have not been verified as valid UTF-8.  This function is not
> required to do anything reasonable with invalid UTF-8, and indeed
> reads past the end of the string and will eventually segfault for
> certain sequences in some versions of Glib 2.  Because the behavior
> of
> this function is undefined, and depends on the particular version of
> Glib 2 in use, the complete ramifications of this bug are unknown.
> Remote crashing of a libpurple client by untrusted users via
> specifically crafted SILC messages is a verified vulnerability.
> This bug is believed to affect all releases of libpurple up to and
> including version 2.10.0.
> The correct fix for this bug is UTF-8 validation (and correction if
> necessary) of the incoming string before passing it to Glib.  A patch
> which provides this fix has been applied to the Pidgin sources in
> revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
> all future Pidgin releases.  For reference, it is:
>     http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
> All packagers of libpurple (including monolithic Pidgin and/or finch
> packages) who have not already done so are encouraged to apply this
> change to their packages immediately.
> We would also like to request a CVE number for this issue.
> Any sensitive follow-ups to this issue, or any other Pidgin, finch,
> or
> libpurple issue, may be directed to security at pidgin.im.
> Thank you,
> Ethan

More information about the security mailing list