MXit security flaws

Mark Doliner mark at kingant.net
Tue Jan 29 14:13:16 EST 2013


On Tue, Jan 29, 2013 at 4:47 AM, Andrew Victor <Andrew.Victor at mxit.com> wrote:
>>>> CID 732102: (This is the most critical one)
>>>
>>> Definitely a valid issue that needs fixing, and as you pointed out a
>>> possible buffer overrun.
>
>> Eek.  I took a stab at fixing this.
>
> Pieter Loubser sent through a patch about two weeks ago, but I see now it
> was only sent to Daniel.
>
> I have attached the patch.
> It's a minimally invasive change since we were also hoping to replace all
> that code in 3.0.0 with the new standard HTTP client code.

This looks good to me.  I'll use this when I eventually make the build.

> For testing just note you need to enable "Connect via HTTP" option in the
> Account -> Advanced tab.  HTTP is not the default connection method.

Ok, thanks.

>>>> CID 732105:
>>>> * Copy into fixed size buffer. In mxit_encrypt_password: A source
>>>> buffer of statically unknown size is copied into a fixed-size
>>>> destination buffer
>> This wasn't a security problem, right?  As in, it wasn't possible for
>> a remote user or remote server to cause this field to overflow, right?
>
> This looks like a potential buffer overflow if the user entered a too long
> (> 57 character) password.

Right, so a Pidgin user could crash himself, but there's no danger of
a remote-user triggering this crash in a local Pidgin instance.

> When do you plan to make the 2.10.7 release?

I'm thinking maybe 2 weeks from now?  We still need to fix another
issue, then notify Linux distributions and give them time to build
patched packages.


More information about the security mailing list