MXit security flaws

Andrew Victor Andrew.Victor at mxit.com
Tue Jan 29 07:47:41 EST 2013 

hi,


>>> CID 732102: (This is the most critical one)
>>
>> Definitely a valid issue that needs fixing, and as you pointed out a possible buffer overrun.

> Eek.  I took a stab at fixing this.  


Pieter Loubser sent through a patch about two weeks ago, but I see now
it was only sent to Daniel.

I have attached the patch.
It's a minimally invasive change since we were also hoping to replace
all that code in 3.0.0 with the new standard HTTP client code.

For testing just note you need to enable "Connect via HTTP" option in
the Account -> Advanced tab.  HTTP is not the default connection method.




>>> CID 732105:
>>> * Copy into fixed size buffer. In mxit_encrypt_password: A source
>>> buffer of statically unknown size is copied into a fixed-size
>>> destination buffer
> This wasn't a security problem, right?  As in, it wasn't possible for
> a remote user or remote server to cause this field to overflow, right?


This looks like a potential buffer overflow if the user entered a too
long (> 57 character) password.

I have merged the encryption code from 3.0.0 into the release-2.x.y
branch.
There is 1 more change I want to make here - truncate the entered
password if it exceeds the maximum allowed.


The 3rd issue (CID 732025) wasn't a security problem.




> Andrew, you took care of all the desired merges, right?  Or are there
> more changes you're wondering about?  The merges you made looked
> reasonable to me.  In general I've been trying to avoid changing our
> default-2.x.y branch, to keep it stable and to reduce the amount of
> work merging those changes into "default."  But you guys are
> developing your prpl more actively than most other parts of Pidgin and
> I know it would be painful for you to have to wait until 3.0.0 for
> your changes to see the light of day, so I think it's very reasonable
> for you to continue making changes to the default-2.x.y branch as you
> see fit.


Thanks.  I have basically merged everything that really needed to be
merged.
For now, we are trying to keep the code in the 2.10 and 3.0.0 prpl as
close to each other as possible.


When do you plan to make the 2.10.7 release?


Regards,
  Andrew Victor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130129/1b609df9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-mxit.diff
Type: text/x-patch
Size: 923 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130129/1b609df9/attachment.bin>

More information about the security mailing list