Jabber OOB Transfer security issue
Daniel Atallah
daniel.atallah at gmail.com
Sat Nov 23 20:23:03 EST 2013
On Sat, Nov 23, 2013 at 6:45 PM, Matt Jones <matt at volvent.org> wrote:
>
> Hey Daniel,
>
> I didn't investigate this one further than what my writeup said. Why
> wouldn't it be an avenue, can you elaborate a tiny bit?
Sure, it's basically what Thijs Alkemade said on September 20th - the only
place where the value parsed via sscanf from Content-Length is used is as
an argument to purple_xfer_set_size(), which would immediately cast it to a
size_t (which is unsigned).
The worst thing that could happen is that a file transfer for a 2^64 − 1
(on 64bit systems) byte file would be started.
-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131123/ce0127a1/attachment.html>
More information about the security
mailing list