libpurple oob write in purple_markup_strip_html

Gary Kramlich grim at reaperworld.com
Wed Mar 1 10:30:34 EST 2017 

Sorry for the super late reply, been meaning to do this for awhile but
kept forgetting to.  Also as I understand it, you've been reached via
some back channels, but that's no excuse for the lack of
communication.

At any rate, a patch has been prepared and is attached.  A CVE has
been requested and we're waiting for an official number.  We will be
releasing Pidgin 2.12.0 on 20170310 at 0200 UTC with your fix.  That
is the embargo date that has been giving to distributions so that they
can patch ahead of time.

Thank you again for finding this and bringing it to our attention.

--
Gary Kramlich <grim at reaperworld.com>

On Wed, Feb 1, 2017 at 4:56 PM, Joseph Bisch <joseph.bisch at gmail.com> wrote:
> Hi,
>
> Calling purple_markup_strip_html with the string "&# 3000;" (remove
> the outermost quotation mark characters and note that there is a space
> between the '#' and '3' characters) results in a oob write that can be
> detected when using a libpurple that has been compiled with ASan.
>
> I believe this may potentially be security-critical because of the
> write past the end of the buffer.
>
> I have not been able to trigger this using Pidgin. I've just been
> trying with the plugins that come included with Pidgin. I figure that
> you must be more familiar with the Pidgin source code and with the
> plugin ecosystem, so you should be able to judge if this is actually a
> security issue.
>
> Sorry in advance if this can't actually be triggered in normal usage
> of libpurple and it is a bug with my fuzzing process instead.
>
> The command "hg parent" in the Pidgin source tree reports:
> changeset:   38204:7ccb54f5d342
>
> Joseph
>
> The ASan output follows:
>
> =================================================================
> ==3029==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000575d at pc 0x7fe27f2314c2 bp 0x7ffde727b030 sp
> 0x7ffde727b028
> WRITE of size 1 at 0x60200000575d thread T0
>     #0 0x7fe27f2314c1 in purple_markup_strip_html
> /home/joseph/pidgin-fuzz/main/libpurple/util.c:2470:14
>     #1 0x50c893 in LLVMFuzzerTestOneInput
> /home/joseph/pidgin-fuzz/main/fuzzer/fuzz.c:26:9
>     #2 0x50c893 in main /home/joseph/pidgin-fuzz/main/fuzzer/fuzz.c:34
>     #3 0x7fe279517290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
>     #4 0x419a69 in _start
> (/home/joseph/pidgin-fuzz/main/fuzzer/.libs/lt-fuzz+0x419a69)
>
> 0x60200000575d is located 0 bytes to the right of 13-byte region
> [0x602000005750,0x60200000575d)
> allocated by thread T0 here:
>     #0 0x4cfe48 in __interceptor_malloc
> /home/joseph/aur/llvm-svn/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
>     #1 0x7fe27a8f8b98 in g_malloc (/usr/lib/libglib-2.0.so.0+0x4fb98)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /home/joseph/pidgin-fuzz/main/libpurple/util.c:2470:14 in
> purple_markup_strip_html
> Shadow bytes around the buggy address:
>   0x0c047fff8a90: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
>   0x0c047fff8aa0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
>   0x0c047fff8ab0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
>   0x0c047fff8ac0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
>   0x0c047fff8ad0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
> =>0x0c047fff8ae0: fa fa 00 fa fa fa 00 05 fa fa 00[05]fa fa fa fa
>   0x0c047fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==3029==ABORTING
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security



-- 
Thanks,

--
Gary Kramlich <grim at reaperworld.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.12.0-xml-out-of-bounds.patch
Type: text/x-patch
Size: 1113 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170301/0a670e64/attachment.bin>

More information about the security mailing list