[Pidgin] #17342: Windows Pidgin builds suffer from broken ASLR

Pidgin trac at pidgin.im
Mon Sep 17 15:10:45 EDT 2018 

#17342: Windows Pidgin builds suffer from broken ASLR
---------------------------+---------------------------
 Reporter:  DrWhax         |       Owner:
     Type:  defect         |      Status:  new
Milestone:                 |   Component:  pidgin (gtk)
  Version:  2.13.0         |  Resolution:
 Keywords:  security aslr  |
---------------------------+---------------------------
Description changed by DrWhax:

Old description:

> Hi,
>
> I was battling with mingw-w64 for pidgin-otr and came across this cmu.edu
> blogpost about it: https://insights.sei.cmu.edu/cert/2018/08/when-aslr-
> is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-
> defaults.html
>
> When looking at the last screenshot(@olabini pointed me to it), it shows
> Pidgin suffers from the relocation table issue.
>
> After running the python script link I can say that the latest Pidgin
> 2.13 release still suffers from broken ASLR.
>
> {{{
> python checkaslr.py pidgin/
> Crawling root directory: /home/user/QubesIncoming/personal1/ ...
> The following files are linked with /DYNAMICBASE, but may not be
> compatible with ASLR:
> /home/user/xxx/pidgin-2.13.0.exe : 0x400000
> }}}
>
> Mitigation is listed in the blogpost by cmu.edu

New description:

 Hi,

 I was battling with mingw-w64 for pidgin-otr and came across this cmu.edu
 blogpost about it: https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-
 not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html

 When looking at the last screenshot(@olabini pointed me to it), it shows
 Pidgin suffers from the relocation table issue.

 After running the python script link I can say that the latest Pidgin 2.13
 release still suffers from broken ASLR.

 {{{
 python checkaslr.py pidgin/
 Crawling root directory: /home/user/xxx/ ...
 The following files are linked with /DYNAMICBASE, but may not be
 compatible with ASLR:
 /home/user/xxx/pidgin-2.13.0.exe : 0x400000
 }}}

 Mitigation is listed in the blogpost by cmu.edu

--

--
Ticket URL: <https://developer.pidgin.im/ticket/17342#comment:2>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list