Summary of security stuff for 2.12.1

dequis dx at dxzone.com.ar
Mon Mar 5 02:55:20 EST 2018 

Bumping this one.

There are PRs open in the security repo for bugs 1, 3, 5, 6, 7

1 https://bitbucket.org/pidgin/security/pull-requests/20
3 https://bitbucket.org/pidgin/security/pull-requests/21
5 https://bitbucket.org/pidgin/security/pull-requests/22
6 https://bitbucket.org/pidgin/security/pull-requests/23
7 https://bitbucket.org/pidgin/security/pull-requests/24

Bug 2 didn't go through the security repo and was merged already

Bug 4 seems pretty damn tricky (refcounting, implied borrows and weird
lifetimes, all the stuff where C sucks) and not even worth considering
a vulnerability since you have to press cancel to get a use after free
of something freed a few instructions ago (so, unlikely to find that
its memory is corrupted already). It's still a bug. Some day someone
should do something about it.

Most issues are simple one line fixes. I tested that they fix what
they intend to fix.

Let's just get this stupid release out of the way asap.

On 3 October 2017 at 12:00, Gary Kramlich <grim at reaperworld.com> wrote:
> On Tue, Oct 3, 2017 at 2:42 AM, dequis <dx at dxzone.com.ar> wrote:
>> This is what we have so far. Fun release.
>>
>> General things to keep in mind:
>>
>> - We need 7 CVEs I guess. I wanted prepare more consistent summaries
>> but I want to get this email sent asap before it's forgotten in my
>> drafts again. Are the ones in this email enough to request CVEs?
>
> Holy crap.  Let me see what we can do.  I don't think we'll get all of
> these covered by the 11th, but we can either kick another release out
> shortly after 2.12.1 or we can push the date.
>
>> - We need to notify adium.
>
> This can be difficult.  Which ones in particular affect Adium, looks
> like quite a few?  For some reason I thought they weren't using an IRC
> prpl, but that's probably wrong.  What about notifying Instant Bird?
>
>> - Bugs 3 to 7 lack patches. I intend to get to it this week. Some are trivial.
>
> Keep me posted here.
>
>> - Bug 1 has a PR from months ago and I feel bad for leaving hanno
>> waiting like that :(
>
> Yeah, it happens :-/
>
>> - Grim please do not review the security repo PRs in your twitch
>> streams thank you
>
> Roger, just make sure they're not in pidgin/main and we should be good to go :)
>
>> The bugs:
>>
>> 1. "one byte buffer overread in function purple_markup_linkify"
>> by Hanno Böck
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-April/001422.html
>> https://bitbucket.org/pidgin/security/pull-requests/19
>>
>> 2. "DoS against Pidgin's IRC protocol implementation"
>> by Shivaram Lingamneni
>>
>> This one was initially reported publicly. There's no amplification,
>> just memory allocations of as much memory as the server sends without
>> newlines. I used to think it maybe didn't deserve a CVE but eh, we got
>> enough of the others already.
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001903.html
>> https://bitbucket.org/pidgin/main/pull-requests/272/fixes-to-irc-buffer-handling-replaces-256/diff
>>
>> 3. "Pidgin attempts to free an address which was not malloc()-ed"
>> by Joseph Bisch
>>
>> AKA double free of irc->motd
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001973.html
>>
>> 4. "Pidgin uaf when cancelling file select dialog after accepting DCC SEND"
>> by Joseph Bisch
>>
>> Requires user interaction, maybe not worth a CVE?
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001981.html
>>
>> 5. "Libpurple irc out of bounds read in irc_nick_skip_mode"
>> by Joseph Bisch
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001986.html
>>
>> 6. "Libpurple buffer overflow write in irc_parse_ctcp"
>> by Joseph Bisch
>>
>> (the mail subject says libpidgin, that's a typo)
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/001998.html
>>
>> 7. "Libpurple stack overflow in g_markup_escape_text (truncated utf8??)"
>> by Joseph Bisch
>>
>> https://pidgin.im/cgi-bin/mailman/private/security/2017-September/002019.html
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
> Thanks,
>
> --
> Gary Kramlich <grim at reaperworld.com>

More information about the security mailing list