Summary of security stuff for 2.12.1

Gary Kramlich grim at reaperworld.com
Tue Oct 3 11:00:52 EDT 2017


On Tue, Oct 3, 2017 at 2:42 AM, dequis <dx at dxzone.com.ar> wrote:
> This is what we have so far. Fun release.
>
> General things to keep in mind:
>
> - We need 7 CVEs I guess. I wanted prepare more consistent summaries
> but I want to get this email sent asap before it's forgotten in my
> drafts again. Are the ones in this email enough to request CVEs?

Holy crap.  Let me see what we can do.  I don't think we'll get all of
these covered by the 11th, but we can either kick another release out
shortly after 2.12.1 or we can push the date.

> - We need to notify adium.

This can be difficult.  Which ones in particular affect Adium, looks
like quite a few?  For some reason I thought they weren't using an IRC
prpl, but that's probably wrong.  What about notifying Instant Bird?

> - Bugs 3 to 7 lack patches. I intend to get to it this week. Some are trivial.

Keep me posted here.

> - Bug 1 has a PR from months ago and I feel bad for leaving hanno
> waiting like that :(

Yeah, it happens :-/

> - Grim please do not review the security repo PRs in your twitch
> streams thank you

Roger, just make sure they're not in pidgin/main and we should be good to go :)

> The bugs:
>
> 1. "one byte buffer overread in function purple_markup_linkify"
> by Hanno Böck
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-April/001422.html
> https://bitbucket.org/pidgin/security/pull-requests/19
>
> 2. "DoS against Pidgin's IRC protocol implementation"
> by Shivaram Lingamneni
>
> This one was initially reported publicly. There's no amplification,
> just memory allocations of as much memory as the server sends without
> newlines. I used to think it maybe didn't deserve a CVE but eh, we got
> enough of the others already.
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001903.html
> https://bitbucket.org/pidgin/main/pull-requests/272/fixes-to-irc-buffer-handling-replaces-256/diff
>
> 3. "Pidgin attempts to free an address which was not malloc()-ed"
> by Joseph Bisch
>
> AKA double free of irc->motd
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001973.html
>
> 4. "Pidgin uaf when cancelling file select dialog after accepting DCC SEND"
> by Joseph Bisch
>
> Requires user interaction, maybe not worth a CVE?
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001981.html
>
> 5. "Libpurple irc out of bounds read in irc_nick_skip_mode"
> by Joseph Bisch
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001986.html
>
> 6. "Libpurple buffer overflow write in irc_parse_ctcp"
> by Joseph Bisch
>
> (the mail subject says libpidgin, that's a typo)
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001998.html
>
> 7. "Libpurple stack overflow in g_markup_escape_text (truncated utf8??)"
> by Joseph Bisch
>
> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/002019.html
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security

Thanks,

--
Gary Kramlich <grim at reaperworld.com>


More information about the security mailing list