MXit security flaws

[Andrew Victor]

hi Mark,

>>>>> CID 732105:
>>>>> * Copy into fixed size buffer. In mxit_encrypt_password: A source
>>>>> buffer of statically unknown size is copied into a fixed-size
>>>>> destination buffer
>>> This wasn't a security problem, right?  As in, it wasn't possible for
>>> a remote user or remote server to cause this field to overflow, right?
>>
>> This looks like a potential buffer overflow if the user entered a too long
>> (> 57 character) password.
>
> Right, so a Pidgin user could crash himself, but there's no danger of
> a remote-user triggering this crash in a local Pidgin instance.

Yes, it can only be triggered by the local user entering a too long password.
Either by entering it in the account details form, or by trying to change their password.
It cannot be triggered remotely.


> > When do you plan to make the 2.10.7 release?
> I'm thinking maybe 2 weeks from now?  We still need to fix another
> issue, then notify Linux distributions and give them time to build
> patched packages.

Ok, great.
All the necessary MXit fixes are now applied to release-2.x.y (except the http security patch one).

This fix <http://hg.pidgin.im/pidgin/main/rev/f7b7a6c58ad3> should also be applied to 2.10.7.  Without it Pidgin occasionally crashes or freezes when closing the conversation window.

There is also what I am guessing is a GTK issue with drop-down lists(purple_request_field_list).
If you look at the attached screenshot, the "Your Country" and "Your Language" should display a list for the user to select an option - but the list element is being drawn with a 0-pixel (or very very small) height.
This happens on Ubuntu 12.04 (GTK 2.24.10), but not Ubuntu 10.04 (GTK 2.20.1)


Regards,
  Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PidginScreenshot.png
Type: image/png
Size: 26095 bytes
Desc: PidginScreenshot.png
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130129/5ffa19e9/attachment-0001.png>