Another g_markup_escape_text Vulnerability

Elliott Sales de Andrade qulogic at pidgin.im
Thu Apr 26 01:47:18 EDT 2012 

I have attached a patch that should take care of this issue.

It's basically an extension of a previous fix for when a charset is not
specified on a plaintext message to non-UTF8 charsets. Now, all non-UTF8
charsets are converted to UTF8. I also added a validation for any incoming
message that specifies UTF8, although in my tests, the server seems to
reject invalid UTF8 (not sure if it check any other charsets).

On Sun, Apr 15, 2012 at 9:40 PM, Elliott Sales de Andrade <qulogic at pidgin.im
> wrote:

> Hi Fabian,
>
> Thanks for reporting this issue.
>
> On Tue, Apr 10, 2012 at 4:53 AM, Fabian Yamaguchi <
> Fabian.Yamaguchi at cs.uni-goettingen.de> wrote:
>
>> Hi Pidgin Security Team,
>>
>> I've noticed that you have recently been patching lots of little bugs
>> concerning the use of g_markup_escape_text on non-valid UTF-8 strings
>> read from binary packets. Here's a similar bug in msn_plain_msg in the
>> newest Version of Pidgin (2.10.3):
>>
>> void
>> msn_plain_msg(MsnCmdProc *cmdproc, MsnMessage *msg)
>> {
>>        PurpleConnection *gc;
>>        const char *body;
>>        char *body_enc;
>>        char *body_final;
>>        size_t body_len;
>>        const char *passport;
>>        const char *value;
>>
>>        gc = cmdproc->session->account->gc;
>>
>>        body = msn_message_get_bin_data(msg, &body_len); <--- (1)
>>        body_enc = g_markup_escape_text(body, body_len); <--- (2)
>>
>>        passport = msg->remote_user;
>>
>>        if (!strcmp(passport, "messenger at microsoft.com") &&
>>                strstr(body, "immediate security update"))
>>        {
>>                return;
>>        }
>>
>> [...]
>> }
>>
>> On line (1), a chunk of binary characters is read and saved in msg. On
>> line (2) this string is passed to g_markup_escape_text without
>> validating that it is a valid UTF-8 string.
>>
>>
> I think it should not be too hard to patch this, though I think I would
> move the validation higher up in the call chain.
>
>
>> ... and a stacktrace:
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00007ffff50e7f00 in g_markup_escape_text ()
>> from /usr/lib/libglib-2.0.so.0
>> (gdb) bt
>> #0  0x00007ffff50e7f00 in g_markup_escape_text ()
>> from /usr/lib/libglib-2.0.so.0
>> #1  0x00007fffe7d1430f in msn_plain_msg ()
>> from /usr/lib/purple-2/libmsn.so
>> #2  0x00007fffe7d0a5c6 in msn_cmdproc_process_msg ()
>> from /usr/lib/purple-2/libmsn.so
>> #3  0x00007fffe7d2c7ef in ?? () from /usr/lib/purple-2/libmsn.so
>> #4  0x00007fffe7d25ae9 in msn_servconn_process_data ()
>> from /usr/lib/purple-2/libmsn.so
>> #5  0x00007fffe7d25c81 in ?? () from /usr/lib/purple-2/libmsn.so
>> #6  0x000000000046af5d in ?? ()
>> #7  0x00007ffff50e337c in g_main_context_dispatch ()
>> from /usr/lib/libglib-2.0.so.0
>> #8  0x00007ffff50e3798 in ?? () from /usr/lib/libglib-2.0.so.0
>> #9  0x00007ffff50e3b92 in g_main_loop_run ()
>> from /usr/lib/libglib-2.0.so.0
>> #10 0x00007ffff6d76637 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
>> #11 0x00000000004319a1 in main ()
>>
>> I hope this information is useful to you guys. I can also provide a
>> trigger if required.
>>
>>
> If you could do so, that would make fixing this bug easier and quicker.
>
>
>> regards,
>>
>> Fabian Yamaguchi (University of Goettingen)
>>
>>
> --
> Elliott aka QuLogic
> Pidgin developer
>

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120426/b0287fa5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-msn-utf8-validation.diff
Type: application/octet-stream
Size: 2296 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120426/b0287fa5/attachment.obj>

More information about the security mailing list