twasilczyk at pidgin.im
Sun Dec 14 05:37:40 EST 2014
2014-12-14 5:22 GMT+01:00 Eric K Wong <ekw269 at nyu.edu>:
> I’ve been reviewing the code for Pidgin 2.10.10 as part of an application
> security class, and may have found a couple of bugs. I do not have
> exploits or any debugging information—this is strictly from review.
> The first possible bug is in libpurple/protocols/gg/lib/events.c. Here, I
> think a crafted packet might be able to cause a program crash (at worst).
> The variable ‘host' is defined on line 974 as a 128 character array.
> However, when it is used in the sscanf function on line 1251, the format
> string specifies 128 characters to write into this array. I think this
> means that if the received string is long enough, since it comes from the
> socket, the null termination byte is stored in bit posting 129, causing a
> buffer overflow. The fix is to change the length of ‘host’ or change the
> format string to %127s.
this one was already detected and fixed in our next release  and
I'm not sure about the second one.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security