PGP key for vulnerability reports

Tomasz Wasilczyk twasilczyk at pidgin.im
Mon Nov 25 04:12:07 EST 2013 


W dniu 14.11.2013 03:56, Ethan Blanton pisze:
> Richard Johnson spake unto us the following wisdom:
>> Please find some of the security bugs we found attached. I've included my
>> public key exported to ascii as well. Let me know if you have any trouble
>> reproducing or understanding the bugs.
>
> Quick summary to the list; we'll have to figure out how to distribute
> these privately, or whether we just want me to send the unencrypted
> disclosures to the list.
>
> The four bugs are:
>
> 1. A bug in libgadu that has probably been fixed by Tomasz by this
>     point, although he'll have to verify that, and it might not yet be
>     included upstream (I have no idea).

I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A 
simple patch is attached to this mail.

This bug is exploitable only by attacker with ability to spoof GG 
service provider domains. Should I keep the non-disclosure procedure for 
it (committing a patch only to /private/main/), or commit both to public 
2.x.y and upstream libgadu repository?

By the some point in the future, I plan to provide a way to replace http 
implementation in libgadu with external one (in our case, libpurple http 
implementation). Unfortunately, it's not as easy as it was in case of 
our internal protocol implementations.

Tomek

> 2. A NULL dereference in Mxit; they say it's remotely exploitable if
>     you can "allocate enough memory that the kernel maps the lowest
>     page" (paraphrased), which is bogus on Unix, but maybe Windows
>     sucks like that.  Either way it's a remote crasher.  Can only be
>     initiated by the server, but that's no excuse.
>
> 3. Our Windows URL sanitizing is totally broken and they showed an
>     example of why.
>
> 4. SIP SIMPLE can be caused to NULL dereference.  I think this is
>     probably a more general logic bug, but it's a remote crasher either
>     way.  They make the same claims as #2.
>
> Ethan
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-gg-http-overflow.patch
Type: text/x-patch
Size: 694 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/38258175/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/38258175/attachment-0001.bin>

More information about the security mailing list