Pidgin / lib purple XMPP remote crash

Elliott Sales de Andrade qulogic at pidgin.im
Sun Apr 15 21:36:19 EDT 2012


Hi José,

Thanks for reporting this issue.
It seems like none of our XMPP people have received this message, though.

Hopefully my reply will poke them into reading this.

I believe this issue has just been reported here:
http://developer.pidgin.im/ticket/15067
This just-reported ticket may also be related, although the backtrace is
not quite the same:
http://developer.pidgin.im/ticket/15065

On Mon, Apr 9, 2012 at 2:19 PM, jv.gutierrezb at gmail.com <
jv.gutierrezb at gmail.com> wrote:

> Hi,
>
> I have found a vulnerability in the latest stable version of pidgin / lib
> purple (2.10.3) related to stream host negotiation in XMPP SI File
> Transfer (XEP-0096).
>
> Attached to this mail you'll find a PoC in python that triggers the crash
> (NULL pointer dereference in libpurple/protocols/jabber/si.c:124
> function jabber_si_bytestreams_connect_cb). The PoC needs
> http://xmpppy.sourceforge.net/
>
> The PoC uses four stream hosts to trigger the crash:
>
> stream host #1 --> JID=attacker at lab/Home, host=172.16.162.128,
> port=55261. Results in timeout
> stream host #2 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in
> Windows socket error #10049
> stream host #3 --> JID=proxy.lab, host=192.168.42.7, port=7777. Works
> stream host #4 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in
> Windows socket error #10049
>
> After the stream host #3 is used to transfer successfully the file and jsx
> freed, jabber_si_bytestreams_connect_cb is invoked to inform of the timeout
> of stream host #1 and tries to use jsx, but jsx is pointing to NULL.
>
> Mitre has assigned the CVE 2012-2214 to this bug. The bug isn't public and
> I'll only make it public after the bug is fixed.
>
> If you need any other information please,don't hesitate in contact me.
>
> Regards,
> José Valentín Gutiérrez
>
>
> --
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120415/517d039a/attachment.html>


More information about the security mailing list