Possible bugs
Tomasz Wasilczyk
twasilczyk at pidgin.im
Sun Dec 14 05:37:40 EST 2014
2014-12-14 5:22 GMT+01:00 Eric K Wong <ekw269 at nyu.edu>:
>
> Hello,
>
> I’ve been reviewing the code for Pidgin 2.10.10 as part of an application
> security class, and may have found a couple of bugs. I do not have
> exploits or any debugging information—this is strictly from review.
>
> The first possible bug is in libpurple/protocols/gg/lib/events.c. Here, I
> think a crafted packet might be able to cause a program crash (at worst).
> The variable ‘host' is defined on line 974 as a 128 character array.
> However, when it is used in the sscanf function on line 1251, the format
> string specifies 128 characters to write into this array. I think this
> means that if the received string is long enough, since it comes from the
> socket, the null termination byte is stored in bit posting 129, causing a
> buffer overflow. The fix is to change the length of ‘host’ or change the
> format string to %127s.
>
Hi,
this one was already detected and fixed in our next release [1] and
upstream [2].
I'm not sure about the second one.
Thanks,
Tomek
[1] https://hg.pidgin.im/pidgin/main/rev/20467cdcdbdd
[2]
https://github.com/wojtekka/libgadu/commit/b7914d833f50c4ec1e0964b8bd9154d98ca45c22
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141214/d1901455/attachment.html>
More information about the security
mailing list