libpurple gadu-gadu issues
Lukas Odzioba
lukas.odzioba at gmail.com
Sat Sep 6 13:16:56 EDT 2014
2014-09-06 12:50 GMT+02:00 Tomasz Wasilczyk <tomkiewi at gmail.com>:
> We've been talking about three issues:
> 1. a possibility to use a feature, that doesn't officially exists in the
> (old version of) protocol
> 2. a possibility for the attacker to allocate a memory on the client
> 3. a buffer overflow
> Summarizing up, I think the only one CVE worth requesting is only the third
> issue mentioned before. But my opinion might not be the same as other devs.
Hehe, in my opinion only the second issue might require cve.
It is similar to example 3 listed here:
http://cwe.mitre.org/data/definitions/400.html
Additionally:
-user is not aware of beeing attacked (unlike when he starts receiving
spam messages)
-this bug has impact on other applications (out of memory behaviour)
-when pidgin receives a message is it stored forever during app lifetime?
So let's move to 3rd issue.
If I understand the logic correctly:
- function gg_session_handle_userlist_reply reads data from *ptr even
if len is equal 0
- it is not buffer overflow because it reads only 1 byte from heap and
stores it known location on the stack (likely).
- the question is whether the src memory is "valid"
- the following line is responsible for allocating memory for packet
libgadu.c: if (!(sess->recv_buf = malloc(sizeof(h) + h.length + 1)))
- if there would not be +1 there then we could read data from not
allocated memory (maybe other versions are affected?)
Please correct me if I am wrong, I do not see buffer overflow here.
Seems that I did not mention pidgin version previously: 2.10.7.
Thanks for contact,
Lukas
More information about the security
mailing list