Additional Security issues

Mark Doliner mark at
Wed Feb 6 04:02:03 EST 2013

On Tue, Feb 5, 2013 at 2:11 PM, Daniel Atallah <daniel.atallah at> wrote:
>  * CID 732103 - Fix non-NUL terminated buffer during oscar direct
> connection negotiation.
>  ** I think this one is pretty severe - my patch is certainly not ideal

This is bad and we should fix it (your patch seems ok to me), but I
don't think it's a security problem because the local user must have
agreed to join the Direct IM session with the remote user.  I believe
we generally don't request CVE in cases like this.

>  * CID 731954, 731953, 731952, 731951, 731950 UPnP buffer overflows
>  ** This is pretty severe too the particular concerning value here is
> line 790 - setting the IP from the http response

I didn't look at this one too carefully, but your patch looks
reasonable to me.  The danger from this one is limited quite a bit, I
think, because an attacker must be on the same local network as the
victim, right?  Regardless, I can request a CVE for this when I email
packagers about the others.

>  * CID 731949 - normalizing a really long sametime username overflows buffer
>  ** Not sure if this is possible to trigger over the wire - I'm not
> familiar enough with sametime

The fix looks good to me.  I also don't know if it's possible.  This
isn't a write-buffer-overflow, right?  If the id is longer than 4096
bytes then the string won't be null terminated which could lead to a
crash.  This seems unlikely to me, but probably possible by a
malicious server?  I think we've agreed we should request a CVE in
cases like this (even though this specific instance seems really minor
to me).

More information about the security mailing list