Summary of security stuff for 2.12.1

dequis dx at dxzone.com.ar
Tue Oct 3 03:42:31 EDT 2017


This is what we have so far. Fun release.

General things to keep in mind:

- We need 7 CVEs I guess. I wanted prepare more consistent summaries
but I want to get this email sent asap before it's forgotten in my
drafts again. Are the ones in this email enough to request CVEs?
- We need to notify adium.
- Bugs 3 to 7 lack patches. I intend to get to it this week. Some are trivial.
- Bug 1 has a PR from months ago and I feel bad for leaving hanno
waiting like that :(
- Grim please do not review the security repo PRs in your twitch
streams thank you

The bugs:

1. "one byte buffer overread in function purple_markup_linkify"
by Hanno Böck

https://pidgin.im/cgi-bin/mailman/private/security/2017-April/001422.html
https://bitbucket.org/pidgin/security/pull-requests/19

2. "DoS against Pidgin's IRC protocol implementation"
by Shivaram Lingamneni

This one was initially reported publicly. There's no amplification,
just memory allocations of as much memory as the server sends without
newlines. I used to think it maybe didn't deserve a CVE but eh, we got
enough of the others already.

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001903.html
https://bitbucket.org/pidgin/main/pull-requests/272/fixes-to-irc-buffer-handling-replaces-256/diff

3. "Pidgin attempts to free an address which was not malloc()-ed"
by Joseph Bisch

AKA double free of irc->motd

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001973.html

4. "Pidgin uaf when cancelling file select dialog after accepting DCC SEND"
by Joseph Bisch

Requires user interaction, maybe not worth a CVE?

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001981.html

5. "Libpurple irc out of bounds read in irc_nick_skip_mode"
by Joseph Bisch

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001986.html

6. "Libpurple buffer overflow write in irc_parse_ctcp"
by Joseph Bisch

(the mail subject says libpidgin, that's a typo)

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001998.html

7. "Libpurple stack overflow in g_markup_escape_text (truncated utf8??)"
by Joseph Bisch

https://pidgin.im/cgi-bin/mailman/private/security/2017-September/002019.html


More information about the security mailing list