MXit security flaws

Daniel Atallah daniel.atallah at gmail.com
Mon Dec 17 18:21:23 EST 2012 

On Mon, Dec 17, 2012 at 5:57 PM, Andrew Victor <Andrew.Victor at mxit.com> wrote:
>> CID 732105:
>> * Copy into fixed size buffer. In mxit_encrypt_password: A source
>> buffer of statically unknown size is copied into a fixed-size
>> destination buffer
>>  * libpurple/protocols/mxit/cipher.c:93 -> strcat( pass,
>> session->acc->password );
>
> This code has been improved and fixed in the 3.0.0 tree.
> http://hg.pidgin.im/pidgin/main/diff/b9ede4a1435b/libpurple/protocols/mxit/cipher.c
> http://hg.pidgin.im/pidgin/main/diff/b4729e4322f3/libpurple/protocols/mxit/cipher.c
>
> We could possibly just use the version from the 3.0.0 tree.

The updated code does seem to not have this particular problem, but I
didn't really look at the changes in too much detail because there's a
lot there.

See my note below about the caveats of backporting.

>> CID 732025:
>> * Explicit null dereferenced. In mxit_send_extprofile_update:
>> Dereference of an explicit null value
>> * libpurple/protocols/mxit/protocol.c:871 -> datalen += sprintf(
>> data + datalen, "%c%s%c%s%c%s",  ...
>
> This should not be exploitable since it's only called from action.c mxit_profile_cb() which generates both the input attributes and the number of attributes.

Ok, then probably just some g_return() type of checks would be
appropriate for this one then.

> There are a number of MXit-specific fixes in the mxit-2.x.y branch of the Mercurial repo.  Most of them are backported from the 3.0.0-dev tree.  Would you consider merging the mxit-2.x.y branch, or do you specifically only want fixes for the above issues?

Since main-2.x.y isn't a throwaway branch (meaning that it will be
merged back into default), transplant/graft/manual backports are
suboptimal because they'll become merge conflicts.

It may still be the the right thing to backport the changes that are
already made for 3.0.0, but it's something to think about when
deciding where to make a change.

I guess I don't know much about what's in mxit-2.x.y, but not in
main-2.x.y - I'm really not at all familiar with mxit.  I think it's
going to be up to you guys to make that decision.
I'm pretty sure that we're going to release 2.10.7 with all of the
unreleased changes in main-2.x.y and not just a separate set of
targeted security fixes if that's what the question was getting at.

-D

More information about the security mailing list