Fwd: [pidgin-security] possible segfault in perl wrapper

Tomasz Wasilczyk tomasz at wasilczyk.pl
Thu Apr 11 21:30:32 EDT 2013


please read this short discussion and give me opinion, what should I
do. Should I treat this as security fix and postpone committing until
just before release?


---------- Forwarded message ----------
From: Ben Laurie <benl at google.com>
Date: 2013/4/11
Subject: Re: [pidgin-security] possible segfault in perl wrapper
To: Tomasz Wasilczyk <tomasz at wasilczyk.pl>

On 10 April 2013 18:57, Tomasz Wasilczyk <tomasz at wasilczyk.pl> wrote:
> Hi,
> I have found a theoretically possible segfault in perl wrapper.
> Libpurple wraps purple_network_ip_atoi [1] with [2]. The first one
> returns 4-byte buffer, but the second one returns C-string (because of
> [3] mapping). Result: 4-byte raw buffer is copied as C-string using
> strlen.
> I hardly believe, that anyone is affected, because this function
> doesn't seems to have ever been working.
> Also: do you think, that such bug should be treated as "sensitive", or
> can be safely assumed that no one actually uses that feature.

Sounds to me that it might have been used, in fact, since 0s in real
IP addresses are relatively rare (there was a time when lots of things
broke if you had a 0 anywhere), so the string copy will _usually_
yield the right value (plus a buffer overflow!). So, I suspect it
should be considered somewhat sensitive.

> Proposed solution:
> remove it from Pidgin 3.0.0 and disable in 2.x.y.
> [1] https://hg.pidgin.im/pidgin/main/file/90201925e1fe/libpurple/network.c#l125
> [2] https://hg.pidgin.im/pidgin/main/file/90201925e1fe/libpurple/plugins/perl/common/Network.xs#l22
> [3] https://hg.pidgin.im/pidgin/main/file/90201925e1fe/libpurple/plugins/perl/common/typemap#l33

More information about the security mailing list