Bug 1154909 (CVE-2014-3695)
Summary: | CVE-2014-3695 pidgin: crash in Mxit protocol plug-in | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | cschalle, debarshir, mbarnes, security-response-team, sisharma, vdanen | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | pidgin 2.10.10 | Doc Type: | Bug Fix | ||||
Doc Text: |
A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-06-08 02:35:18 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1155838, 1340770, 1403136, 1446519 | ||||||
Bug Blocks: | 1154913, 1415638 | ||||||
Attachments: |
|
Description
Murray McAllister
2014-10-21 03:19:33 UTC
Created attachment 948787 [details]
patch from upstream
Public now: http://www.pidgin.im/news/security/?id=87 Created pidgin tracking bugs for this issue: Affects: fedora-all [bug 1155838] pidgin-2.10.10-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. pidgin-2.10.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Analysis ======== 1. In fuction, asn_getUtf8( const gchar* data, gsize data_len, gchar type, char** utf8 ) which is part of mxit protocol. { unsigned int len; gchar *out_str; ... 2. malloc and and memcpy is done without checking the length being passed, which is the length of the emoticon being sent or used which can cause crash by sending specially crafted emoticon. out_str = g_malloc(len + 1); memcpy(out_str, &data[2], len); /* data field */ This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1854 https://access.redhat.com/errata/RHSA-2017:1854 |