Another g_markup_escape_text Vulnerability

Elliott Sales de Andrade qulogic at pidgin.im
Sun Apr 15 21:40:23 EDT 2012 

Hi Fabian,

Thanks for reporting this issue.

On Tue, Apr 10, 2012 at 4:53 AM, Fabian Yamaguchi <
Fabian.Yamaguchi at cs.uni-goettingen.de> wrote:

> Hi Pidgin Security Team,
>
> I've noticed that you have recently been patching lots of little bugs
> concerning the use of g_markup_escape_text on non-valid UTF-8 strings
> read from binary packets. Here's a similar bug in msn_plain_msg in the
> newest Version of Pidgin (2.10.3):
>
> void
> msn_plain_msg(MsnCmdProc *cmdproc, MsnMessage *msg)
> {
>        PurpleConnection *gc;
>        const char *body;
>        char *body_enc;
>        char *body_final;
>        size_t body_len;
>        const char *passport;
>        const char *value;
>
>        gc = cmdproc->session->account->gc;
>
>        body = msn_message_get_bin_data(msg, &body_len); <--- (1)
>        body_enc = g_markup_escape_text(body, body_len); <--- (2)
>
>        passport = msg->remote_user;
>
>        if (!strcmp(passport, "messenger at microsoft.com") &&
>                strstr(body, "immediate security update"))
>        {
>                return;
>        }
>
> [...]
> }
>
> On line (1), a chunk of binary characters is read and saved in msg. On
> line (2) this string is passed to g_markup_escape_text without
> validating that it is a valid UTF-8 string.
>
>
I think it should not be too hard to patch this, though I think I would
move the validation higher up in the call chain.


> ... and a stacktrace:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff50e7f00 in g_markup_escape_text ()
> from /usr/lib/libglib-2.0.so.0
> (gdb) bt
> #0  0x00007ffff50e7f00 in g_markup_escape_text ()
> from /usr/lib/libglib-2.0.so.0
> #1  0x00007fffe7d1430f in msn_plain_msg ()
> from /usr/lib/purple-2/libmsn.so
> #2  0x00007fffe7d0a5c6 in msn_cmdproc_process_msg ()
> from /usr/lib/purple-2/libmsn.so
> #3  0x00007fffe7d2c7ef in ?? () from /usr/lib/purple-2/libmsn.so
> #4  0x00007fffe7d25ae9 in msn_servconn_process_data ()
> from /usr/lib/purple-2/libmsn.so
> #5  0x00007fffe7d25c81 in ?? () from /usr/lib/purple-2/libmsn.so
> #6  0x000000000046af5d in ?? ()
> #7  0x00007ffff50e337c in g_main_context_dispatch ()
> from /usr/lib/libglib-2.0.so.0
> #8  0x00007ffff50e3798 in ?? () from /usr/lib/libglib-2.0.so.0
> #9  0x00007ffff50e3b92 in g_main_loop_run ()
> from /usr/lib/libglib-2.0.so.0
> #10 0x00007ffff6d76637 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
> #11 0x00000000004319a1 in main ()
>
> I hope this information is useful to you guys. I can also provide a
> trigger if required.
>
>
If you could do so, that would make fixing this bug easier and quicker.


> regards,
>
> Fabian Yamaguchi (University of Goettingen)
>
>
-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120415/5b483964/attachment.html>

More information about the security mailing list