[Pidgin] #6246: MSN receive crash fix after failed file open

Pidgin trac at pidgin.im
Fri Jul 4 09:07:54 EDT 2008


#6246: MSN receive crash fix after failed file open
--------------------+-------------------------------------------------------
Reporter:  sbrabec  |       Owner:  khc          
    Type:  defect   |      Status:  new          
Priority:  minor    |   Component:  MSN          
 Version:  2.4.3    |    Keywords:  file transfer
 Pending:  0        |  
--------------------+-------------------------------------------------------
 File receive in msn_slplink_process_msg() calls purple_xfer_start() and
 then it copies dest_fp to a private structure without checking.

 In case, if destination file open fails for any reason, the whole xfer
 structure was already unref'ed in purple_xfer_cancel_local().

 Attached patch fixes only the crash on the receiving side and not other
 aspects of this error:

 - Sending side thinks, that transfer succeeded.

 - Creating a private copy of the file descriptor may be sub-optimal -
 libpurple provides its own file writing callback.

 References:

 CVE-2008-2955

 BUGTRAQ:20080626 Pidgin 2.4.1 Vulnerability

 FRSIRT:ADV-2008-1947

 SECUNIA:30881

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6246>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list