[go: up one dir, main page]

oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

libpurple vulnerability disclosure and fix

From: Ethan Blanton <elb () psg com>
Date: Sat, 1 Oct 2011 16:48:00 -0400
Hello all,

A libpurple vulnerability was made known to the Pidgin developers via
our public bug tracker which affects the SILC protocol plugin and all
software which uses SILC via libpurple.  The original identification
of the vulnerability and bug report was made by Diego Bauche Madero
from IOActive <diego.madero () ioactive com>, and can be seen on the
Pidgin bug tracker as Bug #14636:

    http://developer.pidgin.im/ticket/14636

The vulnerability lies in calling g_markup_escape_text() on strings
which have not been verified as valid UTF-8.  This function is not
required to do anything reasonable with invalid UTF-8, and indeed
reads past the end of the string and will eventually segfault for
certain sequences in some versions of Glib 2.  Because the behavior of
this function is undefined, and depends on the particular version of
Glib 2 in use, the complete ramifications of this bug are unknown.
Remote crashing of a libpurple client by untrusted users via
specifically crafted SILC messages is a verified vulnerability.

This bug is believed to affect all releases of libpurple up to and
including version 2.10.0.

The correct fix for this bug is UTF-8 validation (and correction if
necessary) of the incoming string before passing it to Glib.  A patch
which provides this fix has been applied to the Pidgin sources in
revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
all future Pidgin releases.  For reference, it is:

    
http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8

All packagers of libpurple (including monolithic Pidgin and/or finch
packages) who have not already done so are encouraged to apply this
change to their packages immediately.

We would also like to request a CVE number for this issue.

Any sensitive follow-ups to this issue, or any other Pidgin, finch, or
libpurple issue, may be directed to security () pidgin im.

Thank you,
Ethan

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: