Another g_markup_escape_text Vulnerability

Elliott Sales de Andrade qulogic at pidgin.im
Fri May 4 18:05:25 EDT 2012


Hi Mark,

I'm not sure all of those are problems.

On Fri, May 4, 2012 at 3:53 AM, Mark Doliner <mark at kingant.net> wrote:

> Hey Elliott, from looking at your patch it seems like there might
> still be a few places where we don't validate the string as UTF-8.
> For example:
> - If no content-type is provided
>

I'm actually not sure why that conversion is there, now that I look again.
If there is no content-type, then `msn_cmdproc_process_msg` (which is
called on the message immediately after, and leads to the crash) should
ignore the message entirely.

- If content-type is not text/plain
>

If it's not text/plain, then it may not necessarily be UTF-8 anyway. It
could, for example, be P2P data. They definitely shouldn't be displayed,
but there might be some other type of parsing going on, but I'd have to
check the other content types to be sure.

- If msg->charset is NULL and g_convert(from ISO-8859-1 to UTF-8) fails
> - If msg->charset is set to something other than UTF-8 and
> g_convert(msg->charset to UTF-8) fails and g_convert(ISO-8859-1 to
> UTF-8) fails
>

Is it even possible for ISO-8859-1->UTF-8 conversion to fail? I thought all
bytes are valid ISO-8859-1 and there are no multi-byte characters. I tried
converting a buffer of 255-0 which did not induce an error.


> It seems like we need to set msg->body to NULL if some of those
> conversions fail.  Does this sound accurate to you?  I'll try making a
> few tweaks and sending out another patch.
>



-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120504/6335761f/attachment.html>


More information about the security mailing list