Additional Security issues

Mark Doliner mark at
Thu Feb 7 02:19:07 EST 2013

On Wed, Feb 6, 2013 at 5:37 AM, Ethan Blanton <elb at> wrote:
> Mark Doliner spake unto us the following wisdom:
>> On Tue, Feb 5, 2013 at 2:11 PM, Daniel Atallah <daniel.atallah at> wrote:
>> >  * CID 732103 - Fix non-NUL terminated buffer during oscar direct
>> > connection negotiation.
>> >  ** I think this one is pretty severe - my patch is certainly not ideal
>> This is bad and we should fix it (your patch seems ok to me), but I
>> don't think it's a security problem because the local user must have
>> agreed to join the Direct IM session with the remote user.  I believe
>> we generally don't request CVE in cases like this.
> If it's just a crasher, I agree -- if it's (potentially) exploitable,
> though, I think it needs a CVE.

I think it's just a crasher.  The bug is that we don't null-terminate
a buffer then pass it to purple_strcasestr() and
purple_markup_find_tag().  I don't think there's any opportunity for
someone to write outside of the buffer.

More information about the security mailing list