Lots of crashes (exploitable?) reported in Fedora

Tue Apr 17 21:09:41 EDT 2012

On Tue, Apr 17, 2012 at 3:09 PM, Vincent Danen <vdanen at redhat.com> wrote:

> * [2012-04-13 14:19:51 -0400] Ethan Blanton wrote:
>
>  Vincent Danen spake unto us the following wisdom:
>>
>>> Hi folks.  I'm not sure whether this should be considered
>>> security-sensitive or not, but we've had a number of crashes reported on
>>> pidgin in Fedora:
>>>
>>> https://bugzilla.redhat.com/**show_bug.cgi?id=720781<https://bugzilla.redhat.com/show_bug.cgi?id=720781>
>>>
>>
>> Are the extra threads created by the crash-reporting process, or is
>> Fedora doing something stupid with plugins?  I see at least some of
>> those include third-party plugins, some of which I do not recognize.
>>
>
> Sorry for not getting back to this sooner.
>
> I don't believe abrt would be adding anything to those calls, but I'm
> not 100% familiar with it.  They could very well be third-party plugins
> causing this (I suspect users can download and install their own plugins
> outside of what we provide in Fedora).
>
>
The additional threads may be caused by something like pulseaudio.

There are definitely some crashes there in the msn-pecan and sipe
third-part plugins.

>
>  The threads seem to be using different glib contexts, so they may be
>> safe, but ...
>>
>>  The bug is public as these were all sent by abrt collecting info on
>>> Pidgin crashes and they seem to be all over the place.  I have not much
>>> experience with Pidgin or trying to determine whether or not these might
>>> be considered security flaws, but could you take a look at the bug and
>>> see if might be?
>>>
>>> Again, the bug is public but I wanted to give you a heads-up.  I don't
>>> believe these are more than crashes, but at least one user in the bug
>>> seems to think these should be security-relevant.
>>>
>>
>> The crash-on-demand from a jabber call is indeed concerning.
>>
>
>
This may have been reported separately here already.

> I'm cc'ing Jonathan who maintains pidgin on RHEL, as he may have more
> insight into this than I, and Stu who is the Fedora maintainer of
> pidgin.
>
> From what I understand of abrt, if the hash is the same (which it should
> be since all these reports keep getting added to this one bug), then the
> issue is being triggered in the same place (if it were triggered
> somewhere else, my understanding is that the abrt hash would change).
> So it looks like the underlying problem might be the same across the
> board, but it just shows up in different ways or circumstances?
>
>
abrt is clearly broken in this case, though, unless the underlying problem
is some sort of random memory corruption. Some of the backtraces are in
cairo/X, some in third-party plugins, and a few more in Pidgin/libpurple.
And this one isn't even in Pidgin:
https://bugzilla.redhat.com/attachment.cgi?id=572234

>
> --
> Vincent Danen / Red Hat Security Response Team
> ______________________________**_________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/**mailman/listinfo/security<http://pidgin.im/cgi-bin/mailman/listinfo/security>
>

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120417/cdaebb70/attachment.html>