Summary of security stuff for 2.12.1

Gary Kramlich grim at reaperworld.com
Wed Mar 7 02:25:34 EST 2018 

All of these pr's have been merged and are in the security repo.  Also the
next release will be 2.13.0.  See my email to packagers for more info.

On Mon, Mar 5, 2018 at 1:55 AM, dequis <dx at dxzone.com.ar> wrote:

> Bumping this one.
>
> There are PRs open in the security repo for bugs 1, 3, 5, 6, 7
>
> 1 https://bitbucket.org/pidgin/security/pull-requests/20
> 3 https://bitbucket.org/pidgin/security/pull-requests/21
> 5 https://bitbucket.org/pidgin/security/pull-requests/22
> 6 https://bitbucket.org/pidgin/security/pull-requests/23
> 7 https://bitbucket.org/pidgin/security/pull-requests/24
>
> Bug 2 didn't go through the security repo and was merged already
>
> Bug 4 seems pretty damn tricky (refcounting, implied borrows and weird
> lifetimes, all the stuff where C sucks) and not even worth considering
> a vulnerability since you have to press cancel to get a use after free
> of something freed a few instructions ago (so, unlikely to find that
> its memory is corrupted already). It's still a bug. Some day someone
> should do something about it.
>
> Most issues are simple one line fixes. I tested that they fix what
> they intend to fix.
>
> Let's just get this stupid release out of the way asap.
>
> On 3 October 2017 at 12:00, Gary Kramlich <grim at reaperworld.com> wrote:
> > On Tue, Oct 3, 2017 at 2:42 AM, dequis <dx at dxzone.com.ar> wrote:
> >> This is what we have so far. Fun release.
> >>
> >> General things to keep in mind:
> >>
> >> - We need 7 CVEs I guess. I wanted prepare more consistent summaries
> >> but I want to get this email sent asap before it's forgotten in my
> >> drafts again. Are the ones in this email enough to request CVEs?
> >
> > Holy crap.  Let me see what we can do.  I don't think we'll get all of
> > these covered by the 11th, but we can either kick another release out
> > shortly after 2.12.1 or we can push the date.
> >
> >> - We need to notify adium.
> >
> > This can be difficult.  Which ones in particular affect Adium, looks
> > like quite a few?  For some reason I thought they weren't using an IRC
> > prpl, but that's probably wrong.  What about notifying Instant Bird?
> >
> >> - Bugs 3 to 7 lack patches. I intend to get to it this week. Some are
> trivial.
> >
> > Keep me posted here.
> >
> >> - Bug 1 has a PR from months ago and I feel bad for leaving hanno
> >> waiting like that :(
> >
> > Yeah, it happens :-/
> >
> >> - Grim please do not review the security repo PRs in your twitch
> >> streams thank you
> >
> > Roger, just make sure they're not in pidgin/main and we should be good
> to go :)
> >
> >> The bugs:
> >>
> >> 1. "one byte buffer overread in function purple_markup_linkify"
> >> by Hanno Böck
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> April/001422.html
> >> https://bitbucket.org/pidgin/security/pull-requests/19
> >>
> >> 2. "DoS against Pidgin's IRC protocol implementation"
> >> by Shivaram Lingamneni
> >>
> >> This one was initially reported publicly. There's no amplification,
> >> just memory allocations of as much memory as the server sends without
> >> newlines. I used to think it maybe didn't deserve a CVE but eh, we got
> >> enough of the others already.
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/001903.html
> >> https://bitbucket.org/pidgin/main/pull-requests/272/fixes-
> to-irc-buffer-handling-replaces-256/diff
> >>
> >> 3. "Pidgin attempts to free an address which was not malloc()-ed"
> >> by Joseph Bisch
> >>
> >> AKA double free of irc->motd
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/001973.html
> >>
> >> 4. "Pidgin uaf when cancelling file select dialog after accepting DCC
> SEND"
> >> by Joseph Bisch
> >>
> >> Requires user interaction, maybe not worth a CVE?
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/001981.html
> >>
> >> 5. "Libpurple irc out of bounds read in irc_nick_skip_mode"
> >> by Joseph Bisch
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/001986.html
> >>
> >> 6. "Libpurple buffer overflow write in irc_parse_ctcp"
> >> by Joseph Bisch
> >>
> >> (the mail subject says libpidgin, that's a typo)
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/001998.html
> >>
> >> 7. "Libpurple stack overflow in g_markup_escape_text (truncated utf8??)"
> >> by Joseph Bisch
> >>
> >> https://pidgin.im/cgi-bin/mailman/private/security/2017-
> September/002019.html
> >> _______________________________________________
> >> security mailing list
> >> security at pidgin.im
> >> https://pidgin.im/cgi-bin/mailman/listinfo/security
> >
> > Thanks,
> >
> > --
> > Gary Kramlich <grim at reaperworld.com>
>



-- 
Thanks,

--
Gary Kramlich <grim at reaperworld.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20180307/59104dc1/attachment-0001.html>

More information about the security mailing list