Pidgin / lib purple XMPP remote crash
jv.gutierrezb at gmail.com
jv.gutierrezb at gmail.com
Fri Apr 20 06:39:29 EDT 2012
I've just tested your patch in a linux environment and works fine. I can't build WinPidgin, but if you provide me the patched DLL I'll test it.
Btw, i just introduced a typo in the POC name and you reproduced it in the name of the patch. Actually the CVE is CVE-2012-2214 and not 2012-2144. Excuse the mistake please.
Cheers
El 20/04/2012, a las 07:20, Paul Aurich escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Elliott: Thanks for the nudge
> José: Thank you for the excellent report (effusive praise incoming)
>
> So, I think you've identified something which has been bugging (pun
> intended) me for a while via various folks, and which I've never been
> able to reproduce (and code inspection repeatedly indicated it shouldn't
> be possible). So I'm gleeful right now, despite this being a remote crasher.
>
> And José Valentín Gutierrez Boquete spoke on 04/15/2012 11:40 PM, saying:
>> On Mon, Apr 9, 2012 at 2:19 PM, jv.gutierrezb at gmail.com
>> <mailto:jv.gutierrezb at gmail.com> <jv.gutierrezb at gmail.com
>> <mailto:jv.gutierrezb at gmail.com>> wrote:
>>
>> After the stream host #3 is used to transfer successfully the file and
>> jsx freed, jabber_si_bytestreams_connect_cb is invoked to inform of
>> the timeout of stream host #1 and tries to use jsx, but jsx is
>> pointing to NULL.
>
> I think the attached patch should fix this, though I am not actually
> seeing crashes (without my fixes in, I just get the "Data has gone out of
> scope :(" error). Unless I'm missing something, the only way this would
> crash is if there is a valid PurpleProxyConnectData that was allocated at
> the same address at the time the socket timeout (from the OS) is triggered.
>
> If you have the capability to build WinPidgin (or can test on a Linux
> system), would you mind testing the patch? (If you don't have a build
> environment, I think one of our developers with such could build up a new
> .dll)
>
> There's some added diagnostic logging in here -- if the patch doesn't fix
> it, I have a more detailed patch (been sitting in my working tree for a
> while) I can provide.
>
>
>> Mitre has assigned the CVE 2012-2214 to this bug. The bug isn't public
>> and I'll only make it public after the bug is fixed.
>
> As Elliott noted, it's already ~public. I am nearly positive there are a
> number of other instances of this crash on trac.
>
>> Regards, José Valentín Gutiérrez -- Elliott aka QuLogic Pidgin
>> developer
>
> Cheers,
> - --
> Paul Aurich
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBCAAGBQJPkPIkAAoJEEkfeuGm+zD3hwwQAMCUNKrK2fIqNlk+hRio4PSk
> 1i+FDINbP2fU5Lp95WRhilb0Ypyi+xnHj3FoyzCC3JVs3GNzBq0ZBWMmXLJGTJFM
> aj3JQlGJY2018k9RrhPkyqr5/mfeSHlmZR5qd1v3mhrweAGJkClwa8Ct73aj72iN
> JF/DoUDgBeoscHfqMzD5hBG38FAGJqvVphm1Q6X0Gv8Nk4//e9+1wC85t1lXPONY
> oqU2e2EXY91DLlGY85dGlyU65kQVJix/9vz13LKPmEnPhq79m4QoILt9BWHAqvKr
> U7p4UiwcCR2eHG0efr1M8YYTRH4uzv67V5f+xzaHpyHSY37sRGKgzEZfk8vBdBOX
> 6j3xtmN7vYGuYeqjPoRYq5lh05+oRrgUOS7y8j8HGC8g7hdxLnrBokpAR/d3w/RW
> b1XiGCynI0QQ5SG849YqpgndkH2Z+D+aNaij/zHXv8xxoaF16X2n0bDkRjkMvtp1
> 1WXZikoU/C2QQ5CtdAZGjqCSTBNRbu1SkSrZIGOJUmm7sd+YHIEpdO1YYuNSwbkn
> HjfO3hfMkCmjI2Vm3mNa6V+AXjLOzjK1yFSKobqKZjn+A/MKYr1N2h4u70fPct/6
> ub3LvsNK/3RWj2+jzm1N05ZCC3nK1GRgwcdNsQakkMuinaWoKUItBf0SA0BIVi1F
> 7fBD4OlgWQ34qgXAvDtn
> =yfEN
> -----END PGP SIGNATURE-----
> <cve-2012-2144-proxy.c.patch><cve-2012-2144-proxy.c.patch.sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120420/da5db8b8/attachment.html>
More information about the security
mailing list