Date: Tue, 04 Oct 2011 14:02:09 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: security@...gin.im Subject: Re: libpurple vulnerability disclosure and fix Please use CVE-2011-3594. Thanks. -- JB ----- Original Message ----- > Hello all, > > A libpurple vulnerability was made known to the Pidgin developers via > our public bug tracker which affects the SILC protocol plugin and all > software which uses SILC via libpurple. The original identification > of the vulnerability and bug report was made by Diego Bauche Madero > from IOActive <diego.madero@...ctive.com>, and can be seen on the > Pidgin bug tracker as Bug #14636: > > http://developer.pidgin.im/ticket/14636 > > The vulnerability lies in calling g_markup_escape_text() on strings > which have not been verified as valid UTF-8. This function is not > required to do anything reasonable with invalid UTF-8, and indeed > reads past the end of the string and will eventually segfault for > certain sequences in some versions of Glib 2. Because the behavior > of > this function is undefined, and depends on the particular version of > Glib 2 in use, the complete ramifications of this bug are unknown. > Remote crashing of a libpurple client by untrusted users via > specifically crafted SILC messages is a verified vulnerability. > > This bug is believed to affect all releases of libpurple up to and > including version 2.10.0. > > The correct fix for this bug is UTF-8 validation (and correction if > necessary) of the incoming string before passing it to Glib. A patch > which provides this fix has been applied to the Pidgin sources in > revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in > all future Pidgin releases. For reference, it is: > > http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 > > All packagers of libpurple (including monolithic Pidgin and/or finch > packages) who have not already done so are encouraged to apply this > change to their packages immediately. > > We would also like to request a CVE number for this issue. > > Any sensitive follow-ups to this issue, or any other Pidgin, finch, > or > libpurple issue, may be directed to security@...gin.im. > > Thank you, > Ethan >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.