Bugs related to CVE-2011-4601

Fabian Yamaguchi Fabian.Yamaguchi at cs.uni-goettingen.de
Wed Apr 18 09:29:09 EDT 2012


Hello,

in CVE-2011-4601 you patched a number of locations in the OSCAR code to
ensure that usernames and messages are valid UTF-8. There are a number
of other locations in the code were such checks are required. In
particular in function parseicon, an invalid username leads to a crash.
The easiest way to reproduce this behaviour is to replace the last
character of a username with '\x8f' in the packet or right after the
data has been received from the socket. In this case, you get the
following stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x00eb37a0 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0x00eb37a0 in ?? () from /lib/tls/i686/cmov/libc.so.6
#1  0x01582ac0 in oscar_normalize (account=0x81a1a28, str=0x87f98c0
"7295394", <incomplete sequence \370>) at oscar.c:5640
#2  0x00d682f0 in purple_normalize (account=0x81a1a28, str=0x87f98c0
"7295394", <incomplete sequence \370>) at util.c:3027
#3  0x00cf9cb8 in purple_find_buddy (account=0x81a1a28, name=0x87f98c0
"7295394", <incomplete sequence \370>) at blist.c:2440
#4  0x00cfcf8a in purple_buddy_icons_find (account=0x81a1a28,
username=0x87f98c0 "7295394", <incomplete sequence \370>)
    at buddyicon.c:644
#5  0x00cfc587 in purple_buddy_icon_new (account=0x81a1a28,
username=0x87f98c0 "7295394", <incomplete sequence \370>, 
    icon_data=0x8820400, icon_len=3573, checksum=0x8443a48
"2a3aee1ad2299330b5b45d24d56988b3") at buddyicon.c:334
#6  0x00cfccc8 in purple_buddy_icons_set_for_user (account=0x81a1a28,
username=0x87f98c0 "7295394", <incomplete sequence \370>, 
    icon_data=0x8820400, icon_len=3573, checksum=0x8443a48
"2a3aee1ad2299330b5b45d24d56988b3") at buddyicon.c:557
#7  0x0157ad7c in purple_icon_parseicon (od=0x8462000, conn=0x87f0038,
fr=0x87f0078) at oscar.c:2674
#8  0x0155d6cb in parseicon (od=0x8462000, conn=0x87f0038,
mod=0x8798200, frame=0x87f0078, snac=0xbfffcf40, bs=0x87f007c)
    at family_bart.c:154
#9  0x0155d776 in snachandler (od=0x8462000, conn=0x87f0038,
mod=0x8798200, frame=0x87f0078, snac=0xbfffcf40, bs=0x87f007c)
    at family_bart.c:169
#10 0x01570820 in parse_snac (od=0x8462000, conn=0x87f0038,
frame=0x87f0078) at flap_connection.c:776
#11 0x01570abd in parse_flap (od=0x8462000, conn=0x87f0038,
frame=0x87f0078) at flap_connection.c:862
#12 0x01570e27 in flap_connection_recv (conn=0x87f0038) at
flap_connection.c:985
#13 0x01570e82 in flap_connection_recv_cb (data=0x87f0038, source=20,
cond=PURPLE_INPUT_READ) at flap_connection.c:1000
#14 0x080b2df3 in pidgin_io_invoke (source=0x87f22b0, condition=G_IO_IN,
data=0x87a9288) at gtkeventloop.c:73
#15 0x00c73efb in ?? () from /lib/libglib-2.0.so.0
#16 0x00c2f5e5 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#17 0x00c332d8 in ?? () from /lib/libglib-2.0.so.0
#18 0x00c33817 in g_main_loop_run () from /lib/libglib-2.0.so.0
#19 0x006033c9 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#20 0x080d18fa in main (argc=1, argv=0xbffff504) at gtkmain.c:934


The required checks are also missing in mtn_receive, keyparse, parseadd,
parsemod and parseinfo_create.

Hope this information is useful.
Fabian Yamaguchi (University of Goettingen)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120418/1a5bfedc/attachment.pgp>


More information about the security mailing list