Another g_markup_escape_text Vulnerability

Fabian Yamaguchi Fabian.Yamaguchi at cs.uni-goettingen.de
Tue Apr 10 04:53:24 EDT 2012 

Hi Pidgin Security Team,

I've noticed that you have recently been patching lots of little bugs
concerning the use of g_markup_escape_text on non-valid UTF-8 strings
read from binary packets. Here's a similar bug in msn_plain_msg in the
newest Version of Pidgin (2.10.3):

void
msn_plain_msg(MsnCmdProc *cmdproc, MsnMessage *msg)
{
	PurpleConnection *gc;
	const char *body;
	char *body_enc;
	char *body_final;
	size_t body_len;
	const char *passport;
	const char *value;

	gc = cmdproc->session->account->gc;

	body = msn_message_get_bin_data(msg, &body_len); <--- (1)
	body_enc = g_markup_escape_text(body, body_len); <--- (2)

	passport = msg->remote_user;

	if (!strcmp(passport, "messenger at microsoft.com") &&
		strstr(body, "immediate security update"))
	{
		return;
	}

[...]
}

On line (1), a chunk of binary characters is read and saved in msg. On
line (2) this string is passed to g_markup_escape_text without
validating that it is a valid UTF-8 string.

... and a stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff50e7f00 in g_markup_escape_text ()
from /usr/lib/libglib-2.0.so.0
#1  0x00007fffe7d1430f in msn_plain_msg ()
from /usr/lib/purple-2/libmsn.so
#2  0x00007fffe7d0a5c6 in msn_cmdproc_process_msg ()
from /usr/lib/purple-2/libmsn.so
#3  0x00007fffe7d2c7ef in ?? () from /usr/lib/purple-2/libmsn.so
#4  0x00007fffe7d25ae9 in msn_servconn_process_data ()
from /usr/lib/purple-2/libmsn.so
#5  0x00007fffe7d25c81 in ?? () from /usr/lib/purple-2/libmsn.so
#6  0x000000000046af5d in ?? ()
#7  0x00007ffff50e337c in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#8  0x00007ffff50e3798 in ?? () from /usr/lib/libglib-2.0.so.0
#9  0x00007ffff50e3b92 in g_main_loop_run ()
from /usr/lib/libglib-2.0.so.0
#10 0x00007ffff6d76637 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#11 0x00000000004319a1 in main ()

I hope this information is useful to you guys. I can also provide a
trigger if required.

regards,

Fabian Yamaguchi (University of Goettingen)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120410/aa7bb2c4/attachment.pgp>

More information about the security mailing list