Possible bugs

Tomasz Wasilczyk twasilczyk at pidgin.im
Sun Dec 14 05:37:40 EST 2014

2014-12-14 5:22 GMT+01:00 Eric K Wong <ekw269 at nyu.edu>:
> Hello,
> I’ve been reviewing the code for Pidgin 2.10.10 as part of an application
> security class, and may have found a couple of bugs.  I do not have
> exploits or any debugging information—this is strictly from review.
> The first possible bug is in libpurple/protocols/gg/lib/events.c.  Here, I
> think a crafted packet might be able to cause a program crash (at worst).
> The variable ‘host' is defined on line 974 as a 128 character array.
> However, when it is used in the sscanf function on line 1251, the format
> string specifies 128 characters to write into this array.  I think this
> means that if the received string is long enough, since it comes from the
> socket, the null termination byte is stored in bit posting 129, causing a
> buffer overflow.  The fix is to change the length of ‘host’ or change the
> format string to %127s.


this one was already detected and fixed in our next release [1] and
upstream [2].

I'm not sure about the second one.


[1] https://hg.pidgin.im/pidgin/main/rev/20467cdcdbdd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141214/d1901455/attachment.html>

More information about the security mailing list