Possible security issue in Pidgin 2.7.3 (and later?)

Mark Doliner mark at kingant.net
Fri Dec 28 19:02:40 EST 2012


On Sun, Dec 16, 2012 at 6:10 PM, Moritz Naumann
<bugs.debian.org at moritz-naumann.com> wrote:
> here's a quote from #debian-security on the OFTC IRC network, posted
> roughly four hours ago:
>
>> * [TheFlash] (~TheFlash]@cable-188-2-16-115.dynamic.sbb.rs) has joined #debian-security
>> <[TheFlash]> hi
>> <[TheFlash]> i think i found a denial of service vulnerability in the "pidgin" package (on Debian stable, fully updated)
>> <[TheFlash]> which may or may not be an improperly patched previous vulnerability
>> <[TheFlash]> it's possible to remotely crash pidgin (segmentation fault) through the XMPP protocol
>> <[TheFlash]> the actual crash seems to happen on line 169 of jingle/transport.c (NULL dereference)
>> <[TheFlash]> this bug isn't listed on security-tracker.debian.org, should I report it somewhere?
>> * [TheFlash] (~TheFlash]@cable-188-2-16-115.dynamic.sbb.rs) has left #debian-security
> (14 minutes after s/he joined)
>
> I have not made any attempts to reproduce this issue on Pidgin 2.7.3 (in
> Debian stable) or any earlier/later version.
>
> I'm also unrelated to the original reporter.

Hi Moritz and Debian security team.  Sorry for the delay in our response.

This crash was fixed by this commit:
http://hg.pidgin.im/pidgin/main/rev/b25469e04402

Which was include in Pidgin 2.7.10.  We did not treat this as a
security problem at the time, but perhaps we should have.  If someone
not on your XMPP roster is able to trigger a crash in your Pidgin
client without any action on your part then we probably should have
treated this as a security problem and obtained a CVE number,
coordinated public disclosure, etc.

I do recommend that any distributions shipping Pidgin earlier than
2.7.10 patch this problem.  I'll send an email to the other
distributions on Pidgin's packagers at pidgin.im mailing list.

Thanks for bringing this up!
--Mark


More information about the security mailing list